AD-A069  770 


ILLINOIS  UNI V AT  URBANA-CHAMPAIGN  COORDINATED  SCIENCE  LAB  F/6  9/2 
DIAGNOSIS*  SELF-DIAGNOSIS  AND  R0VIN6  DIAGNOSIS  IN  DISTRIBUTED  D — ETC(U) 
SEP  78  R K NAIR  DAAB07-72-C-0259 


fjiPit 


fl 

a 

I 

I T 

* 

l 

l 

I I 

I 

I 

0 


^SECURITY  CLASSIFICATION  OF  This  PACE  (Wiph  Q«««  Bntarad) 

REPORT  DOCUMENTATION  PAGE  befo!eDco2ple?ScNfor»* 

V 'report  NUMBER  , |2.  GOVT  ACCESSION  NO.|  1-  RECIPIENT'S  CATALOG  NUMBER 


I «.  TITLE  (and  Subtllla) 


DIAGNOSIS,  JjELF^piAGNOSIS  AND 
FN  DISTRIBUTED  DIGITAL  SYSTEM: 


ROVING  DIAGNOSIS 


|7.  authors; 


Ravindra  Kumar/Nair 


9.  PERFORMING  ORGANIZATION  NAME  ANO  ADORESS 

Coordinated  Science  Laboratory' 

University  of  Illinois  at  Urbana-Champalgn 
Urbana,  Illinois  61801 

II.  CONTROLLING  OFFICE  NAME  ANO  AOORESS  > 

Joint  Services  Electronics  Program  C 

l«.  MONITORING  AGENCY  NAME  • AOORESV"  dlllaranl  Iron  Control  ling  Olllca) 


IS.  DISTRIBUTION  STATEMENT  (a!  thla  Report; 


S.  TXPE  OF  REPORT  b PERIOO  COVERED 

/orj  

Technical  ^(ep«t,y  j 

v«-  FEW  FORCING  PRO.  REPORT  NUMBER/  ~ 

) R-823/  UILU-ENG  78-2216 V 


DAAB*07-72-C-0259l 


10.  PROGRAM  ELEMENT.  PROJECT,  TASK 
AREA  • WORK  UNIT  NUMBERS 


(7PiP 


IS.  number  of  pages 
132 

IS.  SECURITY  CLASS,  (at  thla  report; 

UNCLASSIFIED 

ISe.  DECLASSIFICATION/ DOWNGRADING 
SCHEDULE 


Approved  for  public  release;  distribution  unlimited 


I 17.  DISTRIBUTION  STATEMENT  (at  tha  abatract  entered  In  Blaek  20.  It  dltlaranl  tram  Report; 


I ib.  supplementary  notes 


1 19.  KEY  WOROS  (Contlnu*  on  r^vmram  aid*  it  n«c««*«ry  Identity  by  block  numb") 


'jO 

i 1 


Diagnosable  distributed  digital  systems  Roving  graph 

Fault  tolerant  computing  System  diagnosis 

Implication  index  System  decomposition 

Open  circuit  dlagnosabillty  System  reconfigurability 

Roving  diagnosis System  reusability 

ko  ABSTRACT  fContfnue  on  reveree  alda  It  neeeeeery  and  Idanllty  by  blacBUUnbar) 

This  report  studies  various  problems  related  05  the  diagnosis  of  systems  which 
may  be  conveniently  partitioned  into  subsystems  on  modules  capable  of  performing 
tests  among  themselves.  Traditionally,  system  diagnosis  has  aimed  at  the 
detection  of  one  or  more  faulty  units  in  systems.  In  certain  critical  opera- 
tions like  large  distributed  systems, it  is  desirable  to  know  precisely  which 
units  in  the  system  are  fault-free.  The  report  first  considers  the  problem  of 
determining  at  least  one  fault-free  unit  in  a system.  Necessary  and  sufficient 
conditions,  as  well  as  more  convenient  sufficient  conditions  for  solving  the  * 


do 


FORM 
JAN  7} 


EDITION  OF  I NOV  SS  IS  OBSOLETE 


7 


SECURITY  CLASSIFICATION  of  THIS  PAGE  (»han  Data  Bn  I a 


UNCLASSIFIED 

ICCUWTY  ClAMIPICATION  or  THIS  P AOt(Whm  Of 


20.  ABSTRACT  (continued) 
problem  have  been  obtained. 

tffth~Vview  to  facilitatingdiagnosis  of  very  large  systems,  a study  has 
been  made  to  predict  the  behavior  of  the  diagnosability  when  systems  have 
known  diagnosabilities  are  interconnected  to  other  systems. 

The  J*fnving  diagnositf*r^scheme  introduced  in  the  report  is  an  attempt  to 
achieve  self-diagnosis  in  distributed  digital  systems  while  involving  as 
few  units  in  diagnosis  as  possible  at  any  given  time.  A ^window^^s 
associated  with  the  subsystem  composed  of  the  testing  and  tested  units. 
Diagnosis  of  the  entire  system  is  achieved  by  moving  this^rindow  around  th 
system.  Related  issues  which  are  studied  include  reconf fguration  of  the 
system  under  a fault  and  the  reusability  of  the  system  after  reconfigura- 
tion. Certain  properties  of  the  system  communications  graph  are  shown 
to  lead  to  desirable  systems  where  the  delay  in  reconfiguring  around  a 
fault  is  small. 


Accession  For 

E>C  TA2 

Unsu-jounc^d 

fctiHc  lion 


iDin.-  1'  -r»  * ~ ./ 

• — -*■ .g-.  - 

— f.}T I'-'-' ' 4 t^Cedea 

I A. all  and/or 
Cist  special 


UNCLASSIFIED 


111 


0 


0 

0 

a 

0 

1 


» ■* 


This  work  was  supported  in  part  by  the  Joint  Services  Electronics 
Program  (U.S.  Army,  U.S.  Navy  and  U.S.  Air  Force)  under  Contrace  DAAB-07- 
72-C-0259. 


Reproduction  in  whole  or  in  part  is  permitted  for  any  purpose  of 

•t 

the  United  States  Government. 


App-'-  ed  for  public  release.  Distribution  unlimited. 


DIAGNOSIS,  SELF-DIAGNOSIS  AND  ROVING  DIAGNOSIS 
IN  DISTRIBUTED  DIGITAL  SYSTEMS 


Ravindra  Kumar  Nair,  Ph.D. 

Coordinated  Science  Laboratory  and  Department  of  Computer  Science 
University  of  Illinois  at  Urbana-Champaign , 1978 

This  thesis  studies  various  problems  related  to  the  diagnosis 
of  systems  which  may  be  conveniently  partitioned  into  subsystems  on 
modules  capable  of  performing  tests  among  themselves.  Traditionally, 
system  diagnosis  has  aimed  at  the  detection  of  one  or  more  faulty 
units  in  systems.  In  certain  critical  operations  like  large  distri- 
buted systems,  it  is  desirable  to  know  precisely  which  units  in  the 
system  are  fault-free.  The  thesis  first  considers  the  problem  of 
determining  at  least  one  fault-free  unit  in  a system.  Necessary  and 
sufficient  conditions,  as  well  as  more  convenient  sufficient  conditions 
for  solving  the  problem  have  been  obtained. 

With  a view  to  facilitating  diagnosis  of  very  large  systems, 
a study  has  been  made  to  predict  the  behavior  of  the  diagnosability 
when  systems  having  known  diagnosabilities  are  Interconnected  to  other 
systems. 

The  "roving  diagnosis"  scheme  introduced  in  the  thesis  is  an 
attempt  to  achieve  self-diagnosis  in  distributed  digital  systems  while 
involving  as  few  units  in  diagnosis  as  possible  at  any  given  time.  A 
"window"  is  associated  with  the  subsystem  composed  of  the  testing  and 
tested  units.  Diagnosis  of  the  entire  system  is  achieved  by  moving  this 
window  around  the  system.  Related  issues  which  are  studied  include 
reconfiguration  of  the  system  under  a fault  and  the  reusability  of  the 
system  after  reconfiguration.  Certain  properties  of  the  system 
communications  graph  are  shown  to  lead  to  desirable  systems  where  the 
delay  in  reconfiguring  around  a fault  is  small. 


ill 


0 

0 

0 

Q 

0 

0 

Q 

0 

v_/ 

0 

u 

D 

Q 

Q 

0 

0 


ACKNOWLEDGMENT 

The  author  wishes  to  express  his  gratitude  to  Prof.  Gernot  Metre 
for  his  guidance,  advice,  support  and  encouragement  at  all  times.  The 
author  also  thanks  Prof.  Jacob  Abraham  for  the  many  useful  suggestions  and 
discussions. 

Special  thanks  are  due  to  Mrs.  June  Wingler  and  Mrs.  Mary  McMillen 
for  their  excellent  typing. 


1 


iv 


TABLE  OF  CONTENTS 


Chapter  Page 

1.  INTRODUCTION 1 

1.1  System  Diagnosis 1 

1.2  A Summary  of  Earlier  Work 2 

1.3  Thesis  Objectives 3 

2.  DETECTION  OF  FAULT-FREE  UNITS  IN  SYSTEMS 7 

2.1  Introduction 7 

2.2  Preliminaries 8 

2.3  Confirming  the  Absence  of  a Fault 9 

2.4  Discussion * 26 

3.  DIAGNOS ABILITY  AND  SYSTEM  DECOMPOSITION 28 

3.1  Introduction 28 

3.2  STPF  and  SMPT  Systems... 29 

3.3  General  Cases 34 

3.4  Discussion 46 

4.  SELF-DIAGNOSIS  STRATEGIES  FOR  HIGH  PERFORMANCE 

DISTRIBUTED  SYSTEMS 50 

4.1  Introduction 50 

4.2  System  Model 51 

4.3  A Strategy  for  Diagnosis 53 

4.4  System  Reconfiguration 56 

4.5  Fault  Assumptions 59 


*1 


4.6  Fault  Models 


63 


V 


r 


U 


y 

o 

j 

3 

3 


K 

■ 


0 

a 

9 

o 

3 

u 

a 

o 

o 

Q 


9 

1 


J 


Chapter 

5.  ROVING  DIAGNOSIS 

5.1  Introduction 

5 . 2 Roving  Graphs 

5.3  Minimization  of  Test  Time 

5.4  Determination  of  Roving  Graph 

5.5  Roving  Graphs  for  SMPT  Systems 

5.6  Roving  Graphs  for  STPF  Systems 

5.7  Roving  Graphs  for  General  Systems.. 

5.8  Diagnosis  of  Initial  Nodes 

6.  FURTHER  IMPLICATIONS  OF  ROVING  DIAGNOSIS 

6.1  Introduction 

6.2  Reconfigurability 

6.3  Reusability 

6.4  Self-Testable  System  Design 

6.5  Miscellaneous  Practical  Aspects.... 

7.  CONCLUDING  REMARKS 

7.1  Detection  of  a Fault-Free  Unit 

7.2  Decomposition  of  Systems 

7.3  Roving  Diagnosis 

REFERENCES 

VITA 





Page 


i 


65 

65 

65 

72 

76 

79 

82 

90 

97 

102 

102 

102 

109 

111 

120 

125 

125 

125 

126 
129 
132 


1 


u 

u 

0 

0 

Li 

0 

u 

a 

o 

Q 

0 

0 

ll 


1.  INTRODUCTION 


1.1  System  Diagnosis 

Since  the  early  days  of  research  in  diagnosis  of  digital  systems 
much  attention  has  been  paid  to  the  generation  of  test  sets  for  the 
detection  and  location  of  component  faults.  The  stuck-at-1  and  stuck-at-0 
model  was  the  one  most  commonly  used  to  solve  the  diagnosis  problem  by 
considering  the  logic  behavior  of  the  system  under  faulty  and  fault-free 
conditions.  Results  for  the  single  stuck-at  fault  case  have  been  very 
encouraging.  Multiple  stuck-at  faults  have  been  found  to  be  more  difficult 
to  contend  with. 

In  contrast  to  the  component-level  diagnosis  as  mentioned  above, 
system-level  diagnosis  aims  at  a higher  level,  where  the  basic  atoms  are 
not  gates  but  entire  functional  modules  interconnected  appropriately  to 
form  the  system.  A few  reasons  may  be  cited  for  the  study  of  diagnosis 
at  the  system  level.  Firstly,  the  complexity  of  known  multiple  fault 
detection  algorithms  increases  rapidly  as  the  number  of  components  involved 
increase.  By  breaking  down  the  system  into  reasonable  sized  modules,  the 
problem  could  be  made  more  tractable.  Secondly,  functional  modularization 
occurs  naturally  in  present-day  digital  systems  with  the  proliferation  of 
large-scale  integration.  Consequently  it  restricts  the  range  of  inter- 
action of  faults  and  allows  the  diagnostician  to  take  advantage  of  points 
within  the  system  at  which  logic  values  are  observable.  It  further  serves 
as  a convenient  model  for  diagnosing  distributed  systems. 

It  must  be  mentioned  here  that  system-level  diagnosis  is  not  an 
alternative  to  the  traditional  component-level  diagnosis.  System-level 


2 


» 


diagnosis  assumes  that  tests  exist  for  faults  in  the  modules  composing 
the  system.  Also,  once  a faulty  module  is  identified,  component-level 
testing  is  needed  to  identify  the  faulty  component,  if  it  is  appropriate 
for  the  technology  at  hand. 


f 


: 

I 1 


I 


Ml 


0 

fl 

i 

0 

II 

0 

0 

0 

D 

D 

a 

i 


1.2  A Summary  of  Earlier  Work 

The  pioneering  work  in  the  area  of  system  diagnosis  was  done  by 
Preparata,  Metre  and  Chien  [1].  The  problem  studied  by  them,  termed  the 
connection  assignment  problem,  investigates  the  diagnosability  of  systems 
divided  into  subunits  of  convenient  size  and  complexity.  Each  subunit  in 
the  system  is  assumed  to  be  testable  (completely,  for  some  fault  model) 
by  some  other  subunit  in  the  system.  The  result  of  a test  is  reliable 
only  if  the  testing  subunit  is  fault-free.  Given  the  results  of  the  tests 
performed  by  the  various  subunits  and  the  interconnection  between  them, 
the  problem  of  locating  at  least  one  (sequential  diagnosability)  or  all 
(one-step  diagnosability)  of  the  faulty  subunits  is  attacked.  The 
assumption  made  is  that  no  more  than  a specified  number  of  subunits  can 
become  faulty  between  two  testing  periods.  Further  results  in  the  area 
were  obtained  by  Preparata  [2],  Hakimi  and  Amin  [3]  and  Russell  and 
Kime  [4,5].  The  work  by  Russell  and  Kime  is  noteworthy  because  their 
generalized  results  include  cases  where  more  than  one  unit  is  required 
to  test  a given  unit.  The  probabilistic  treatment  of  the  connection 
assignment  problem  was  undertaken  by  Maheshwari  and  Hakimi  [6]  and  by 
Fujiwara  and  Kinoshita  [7],  while  Mallela  and  Masson  [8]  studied  the 
extension  of  the  problem  to  the  case  of  intermittent  faults. 

Barsi,  Grandoni  and  Maestrini  [9]  introduced  an  interesting 
variation  to  the  Preparata,  Metze  and  Chien  model  by  assuming  that  a 


level  diagnosis  increases  rapidly  as  the  number  of  nodes 
in  the  system  graph  increases.  Further,  the  interconnection 
requirements  make  the  system  more  inflexible  when  the 
number  of  faults  that  the  system  must  tolerate  increases. 
Thus  it  becomes  necessary  to  reconsider  the  basic  fault 
model  for  the  system  and  attempt  to  solve  the  connection 
assignment  problem  for  more  realistic  and  possibly  less 
restrictive  fault  models. 

(ii)  One  of  the  major  concerns  in  the  maintenance  of  any  system 
is  the  amount  of  time  that  is  "lost"  when  the  system  is 
undergoing  diagnosis.  It  appears  that  in  a system  composed 
of  modules  which  can  be  tested  by  other  modules,  testing 
may  be  restricted  to  a small  subset  of  modules  while  the 
rest  of  the  system  is  busy  doing  useful  computation.  It 
should  then  be  possible  to  devise  a testing  strategy  which 
takes  advantage  of  this  potential  parallelism,  in  order  to 
improve  performance  through  increase  in  available 
computational  time. 

(iii)  Most  systems  which  are  deterministically  designed  to 
tolerate  faults  in  a given  fault  model,  are  usually 
capable  of  tolerating  many  other  unmodelled  faults.  In 
practice,  there  are  a few  critical  faults  in  the  fault 
model  which  the  designed  system  can  barely  tolerate. 

However,  these  critical  faults  may  be  so  improbable  that, 
with  a high  degree  of  confidence,  one  may  use  the  same 
system  for  more  than  the  designed  number  of  faults.  In 


6 

and  restrictions  implied  by  this  strategy,  and  presents  techniques  which 
aim  at  minimizing  hardware  external  to  the  system.  Chapter  6 employs  the 
ideas  of  Chapter  5 in  designing  systems  for  given  specifications. 

Chapter  6 also  discusses  how  systems  could  reconfigure  on  the  occurrence 
of  a fault,  what  information  needs  to  be  transmitted  to  which  nodes  on 
the  detection  of  a fault,  and  whether  the  reconfigured  system  is  useful 
in  further  computation  possibly  with  degradation  in  performance. 


7 


2.  DETECTION  OF  FAULT-FREE  UNITS  IN  SYSTEMS 


2.1.  Introduction 

As  described  earlier,  the  connection  assignment  problem  [1]  considered 
the  case  when  no  more  than  a given  number  of  faults  can  occur  in  a system, 
and  when  one  subsystem  alone  is  capable  of  testing  another  completely.  A 
more  general  case  was  considered  by  Russell  and  Kime  [4,5].  Instead  of 
considering  subsystems  testing  others,  their  model  is  formulated  in  terms 
of  faults,  tests  and  the  relationships  between  them.  A system  is  defined 
to  be  d-fault  diagnosable  with  repair  if  and  only  if  there  exists  a sequence 


of  applications  of  a test  set  and  repairs  of  identified  faults  that  allows 
all  faults  originally  present  to  be  identified,  provided  the  number  of  faults 
originally  present  does  not  exceed  d [4] . Hence  a system  is  d-fault  diagnos- 
able  with  repair  if  one  application  of  the  test  set  is  sufficient  to  identify 
at  least  one  fault  present  provided  the  number  of  faults  originally  present 
does  not  exceed  d. 

In  certain  applications,  as  in  airline  reservation  systems,  it  may 
not  be  desirable  to  have  any  faulty  units  around,  so  that  the  integrity  of 
the  data  base  can  be  maintained.  Under  such  circumstances,  one  step  diag- 
nosabilitv  [1]  (also  called  d-fault  diagnosability  without  repair  [5])  may 


be  the  only  acceptable  solution.  This  condition  has  been  shown  to  be  very 
demanding  in  terms  of  nodes  and  interconnections  required. 

Another  approach  to  the  problem  is  to  design  for  a system  in  which, 
after  the  application  of  a test  sequence,  at  least  m fault-free  units  can 
be  identified  (which  can  then  proceed  to  execute  tasks  vital  to  the  system) 
provided  the  number  of  faults  present  does  not  exceed  a given  number,  say  d. 
The  properties  of  such  systems  will  now  be  investigated. 


8 


! 0 

i a 

I u 
i o 

; 0 


0 


2.2.  Prellminarlea 

The  model  and  notation  will  follow  those  of  Russell  and  Kime  [4] 

quite  closely.  Some  of  the  details  will  be  presented  for  completeness. 

Associated  with  a system  S there  is  assumed  to  be  a set  3 * 

ff,»f„»...,f  ] of  n possible  faults  and  a set  J * ft  ,t  ,...,t  } of  p p^ss- 
t 1 2 nJ  ^ l 2 p J 

1 2 2n 

fail  tests.  F ■ [F  ,F  ,...,F  } is  the  set  of  all  subsets  of  3.  F(d)  is 

the  set  of  all  fault  patterns  containing  d or  fewer  faults  and  F(d)  c F. 

The  F-array  for  the  system  is  a Boolean  array  having  F^  ■ 1 if  fault 
k 

f^6  F and  0 otherwise. 

A test  tj  is  a complete  test  for  fault  f^  if  t^  always  fails  when 
f ^ alone  is  present  in  S and  always  passes  when  the  system  is  fault-free. 
The  set  of  all  complete  tests  for  f^  is  denoted  by  tCf^).  Extending  this 

notation,  t (f ^ > f j , • • . , f * t (f U t(f^)U  ...U  t (f ^) • 

k k 

T(F  ) is  a set  of  tests  that  are  invalid  in  the  presence  of  F . 

k 

(A  test  tj  is  invalid  in  the  presence  of  fault  pattern  F if  the  presence 
of  F causes  the  outcome  of  t^  to  be  unpredictable  or  unreliable.)  The 
generalized  fault  array  or  the  G-arrav  for  a system  is  defined  as 

( °- 1£  'i4  t(Fk)  and  t ^ f T(Fk) 

Gk  - / 1,  if  t j € t (Fk)  and  tjgTCF*) 

X,  otherwise. 

\ 

The  diagnostic  graph  D of  a system  S is  a labelled  directed  graph 
that  has  a vertex  for  each  fault  in  3 and  a directed  edge  from  the  vertex 
associated  with  fault  f^  to  the  vertex  associated  with  fault  f^  if  and  only 
if  f^  invalidates  at  least  one  test  that  is  complete  for  f^,  i.e., 
T(f^)0t(fj)  t 0.  The  directed  edge  is  labelled  by  tests  in  the  set 


T(£1)nt(£j).  Directed  edges  to  £^  with  no  origin  are  labelled  by  tests  in 


the  set  t(f^)  - T(3)* 


i o 


To  illustrate  these  concepts,  consider  the  system  whose  diagnostic 
graph  is  shown  in  Figure  2.1. 

• ^ * (fi,f2,f3,f4^ * * " Ctl’t2,t3*t4,t5*t6^* 

• The  set  of  tests  for  the  fault  f^  is  t(f^)  ■ {t^,tj}. 

• The  set  of  faults  that  Invalidate  test  t^  is  {£2}* 

• The  set  of  faults  that  Invalidate  test  t^  is  {f^,f^}. 

• The  set  of  tests  invalidated  by  fault  f^  is  T^)  * {t2,t3,t4)* 

• The  set  of  faults  invalidated  by  3 is  T (3)  - T(f L) U T(f2> U T(fj) U T(f4> 

^tl,t2’t3’t4,t5^* 

• The  set  of  tests  that  are  not  invalidated  by  any  fault  in  3 is  [t^]. 


2.3.  Confirming  the  Absence  of  a Fault 

In  the  Russell-Kime  model,  the  determination  of  a fault-free  unit 
is  equivalent  to  the  confirmation  of  the  absence  of  a fault.  This  problem 
can  be  related  to  d/s  diagnosability  (see  Friedman  [16]). 

A system  S is  said  to  be  d/s  diagnosable  without  repair  (or  one- 
step  d/s  diagnosable)  if  by  a single  application  of  the  diagnostic  test 
sequence  any  multiple  fault  F € F(d)  can  be  diagnosed  to  within  s single 
faults.  The  problem  of  confirming  the  absence  of  at  least  m faults  under 
the  assumption  that  there  are  no  more  than  d faults  in  the  system  is  then 
equivalent  to  the  problem  of  d/ (n  - m)  diagnosability  without  repair. 

The  cubical  intersection  operator  (“I  as  defined  by  Roth  [17]  will 
be  used.  Let  c^.c^ € [0,1, X}”.  Then 


* f 


0 

u 

0 

0 

0 

a 

o 

a 

u 

0 

[1 

0 

0 

B 

0 

0 


11 


4-cJ- 


c n 


0 (empty) , if  any  c*  n - 0 

(c  1 n ci  X c2  n c2  x • • • X c*  n c|} ) , otherwise 


with  the  PI  operations  among  0,  1 and  X defined  as  in  Table  2.1. 


Table  2.1.  Intersection  Operation 


n 

0 

1 

X 

0 

0 

0 

0 

1 

0 

1 

1 

X 

0 

1 

X 

Theorem  2.1 

(a)  A system  S * GJ.TjF.G)  is  d/s  diagnosable  without  repair  if 

and  only  if,  for  any  F*,F^ , . . . ,F^  € F (d) , | F'*'  U F^  U •• . U Fkj  > s implies 

ilk 
G n GJ  n ...  p G ■ 0,  s < n. 

(b)  A system  S ■ (3,,7,F,G)  is  d/n  diagnosable  without  repair  if 
and  only  if,  for  F^€F(d),  Fk  f 0 implies  G j ■ 1 for  some  tj€.T* 

Proof : 

(a)  Let  | F1  U F^  U • • • U Fk|  > s imply  G±  H Gj  H . . . n Gk  - 0.  Then 

i 1 k i 1 ki 

G pGJ  p ...  nG  0 implies  |F  UFJU  ...|JF  | £ s.  Hence  after  each  applica- 
tion of  the  test  sequence  an  outcome  results  that  could  have  been  due  to 

i j k 

the  presence  of  any  of  the  fault  patterns  in  a set  [F  ,F  , ...,F  } c F(d). 

Since  |F*uF^u  ...yF^I  £ s,  the  actual  faults  must  be  contained  in  a set 

of  faults  whose  cardinality  is  not  greater  than  s. 

i 1 k 

To  prove  necessity,  let  G n (r  [1  ...  p G t 0.  Then  each  of 
i 1 k 

F , F , ...,F  can  give  rise  to  the  same  test  outcome.  If,  in  addition, 

i 1 k 

| F U FJ  U ...  F | > s,  then  at  least  s + 1 possible  faults  must  be  considered 
to  ensure  Inclusion  of  all  the  actual  faults. 


W 


12 


■ 


(b)  S is  d/n  diagnosable  without  repair  if  and  only  if  S ia  d- 
fault  detectable,  i.e.,  if  and  only  if  some  test  definitely  fails  for  fault 
pattern  Fk€{F(d)-0},  i.e.,  if  and  only  if,  for  some  Gj  ■ 1. 


Q.  E.D. 


Example  2.2 


Consider  F(2)  for  the  single-loop  system  whose  graph  is  shown  in 

Figure  2.2.  Here  3 - * J m CVVVW ; F-  F<2)  - 

._12  13  _14  _15  23  _24  „.25  „34  „35  „45. , , , _ 

{F  ,F  ,F  ,F  ,F  ,F  ,F  ,F  ,F  ,F  }u{3},  where  F J • {f^f^}.  The 

G-array  for  the  system  is  shown  in  Table  2.2. 

Table  2.2.  G-Array  for  the  Five-Node  Single  Loop  System  of  Example  2.2 


X 


0 


0 


1 


X 


14 


Now  consider  the  syndrome  Ct1»t2,t3,t4,t5}  * {00101}.  This 

34  35  34  35 

syndrome  could  be  produced  by  the  following  faults : F and  F . F lIF  * 
34  35 

{f^}  and  G |"!  G * 001 X 1.  In  this  manner,  one  could  verify  for  all 
faults  Fi,F^,...,Fk€  F(2)  that  G*  H n ...  P G^  + 0 implies 
| F1,  U U ...UFk|  £ 3.  Hence  the  system  is  2/3  diagnosable  without  repair. 

□ 

While  Theorem  2.1  does  give  the  necessary  and  sufficient  conditions 
for  d/s  diagnosability  it  is  rather  cumbersome  to  use  in  actual  practice. 

An  observation  that  is  clear  from  Theorem  2.1  is  that  a system 
which  is  d/s  diagnosable  without  repair  is  also  d/s'  diagnosable  without 
repair  for  s'  > s,  as  long  as  s'  £ n.  Hence  we  can  define  a system  to  be 
s-critically  d/s  diagnosable  without  repair  if  it  is  d/ s diagnosable  without 
repair  but  not  d/(s-l)  diagnosable  without  repair. 

Example  2.3 

The  five-node  single-loop  system  of  Example  2.2  may  be  verified 
to  be  s-critically  2/3  diagnosable  without  repair.  □ 

Theorem  2.2 

A system  S * (3,J",F,G)  whose  diagnostic  graph  is  strongly  connected 
can  be  s-critically  d/(n-l)  diagnosable  without  repair  only  if  for  some 
test,  the  number  of  faults  that  invalidate  the  test  is  at  least  two. 

Proof : 

Assume  otherwise.  Let  [f\f^,  . . . ,F^}  c F(d)  be  a set  of  faults 
such  that  | F1  U F2  U - • • (J  Fk|  * n - 1 and  G1  D G2  P . . . I~1  Gk  + 0.  Such  a set 
exists  because  S is  s-critically  d/(n-l)  diagnosable  without  repair. 

Consider  f*,  Fg,  F*1  such  that  f - 3 - {F1U  F2U  ...  1)  Fk],  F8  is  the  set  of 
all  faults  f^  such  that  T (f fl  t (f x)  t 0 and  Fh  *s  the  set  of  all  faults  f^ 


15 


!J 

U 

0 


i 


0 

0 

a 

a 

o 

a 

j 

J 

u 

u 

a 

a 

o 

o 

0 

a 

1 


such  that  T(fx)f|t(fj)  t 0.  These  faults  exist  because  of  the  strongly 

o h 1 2 k 

connected  nature  of  the  diagnostic  graph.  Clearly  F ,F  €{F  |JF  (J...UF  }. 

Fh  € [F1  n F2  n . . . n Fk}  because  fx  t {F1  U F2  U . . . U Fk}  and  T(fx>  C t (F*1) . For 

all  faults  F1*  € {F^jF2, . . . ,Fk]  and  all  tests  tx€t(fx),  * 0 or  X,  because 

f ^ while  for  all  tests  t €x(f  ),  GP  * 1.  If  GP  ■ X,  then  consider  the 
x y x y x 

fault  FP  ■FPljf  . Hence  GP  * X and  GP  * X,  implying  that 
x x y 

G1  n G2  n ...  P Gk  n GP'  # 0 and  | F1  u F2u  ...  U FkU  FP' | > n - 1,  contradicting 

the  assumption  that  the  system  is  d/(n-l)  diagnosable  without  repair. 

Hence  GP  must  be  0 for  all  F**  g £f\f2,  . . . ,Fk]  indicating  that 
12  tc 

|F  UF  U...UF  | <n  - 1,  a contradiction.  Q.E.D- 

It  is  convenient  to  define  a single-mask-per-test  system  (SMPT 
system)  as  one  in  which  T(fi)f|T(fj)  ■ 0 for  all  f^f^Gj?,  f^  f f^.  A 
strongly  connected  SMPT  system  is  one  whose  diagnostic  graph  is  strongly 
connected.  Hence  the  following  corollaries  can  be  stated. 

Corollary  2.2.1:  If  a strongly  connected  SMPT  system  is  d/(n-l)  diagnosable 
without  repair  then  it  must  be  d/ (n  - 2)  diagnosable  without  repair. 

Corollary  2.2.2:  If  a strongly  connected  SMPT  system  is  d/ (n  - m)  diagnosable 
without  repair,  m > 0,  then  the  system  is  d-fault  diagnosable  with  repair 
(or  sequentially  d-fault  diagnosable). 

Proof : 

12  k 

Let  [F  ,F  ,...,F  } C F(d)  be  a set  of  faults  such  that 

| F1  U F2  U • • • U Fk|  - n - m and  G1  H G2  n . • • n Gk  0.  Let  f , f be  faults 

x y 

such  that  fx  € 3 - {F1  U F2  U . • . U Fk] , fy€  [F^J  F2U  ...  U Fk}  and 

T(f  ) fl  t (f  ) f*  0.  Let  t € T(f  )f|t(f  ).  Then  for  all  faults 
x y y x y 

FPg  {Fl,F2,...,Fk},  G^  - 1,  indicating  that  f f € [F1  H F2  fl  . . . f\  Fk] . Hence 
the  system  is  sequentially  d-fault  diagnosable. 


! 


Q.E.D. 


16 


! 0 


L 


Lemma  2.3 


If  a strongly  connected  SMPT  system  is  sequentially  d-fault  diag- 
nosable,  then  it  must  be  d/ (n  - m)  diagnosable  without  repair  for  some  m > 0. 


Proof : 


Let  {f\f2,  . . . ,Fk]  c F(d)  be  a set  of  faults  such  that 


F1  fl  F2  n . . . fl  Fk  + 0 and  PG^  n ...  n Gk  / 0.  Such  a set  must  exist 
because  the  system  is  sequentially  d-fault  diagnosable.  Let 
f 6 F^ft  F^fl  ...  ("I  Fk.  Clearly  for  all  tests  t € t (f  ) , GP  = 1 or  X for 

X XXX 

FP€  fF^.F2, . . . ,Fk1 . If  GP  = X then  for  the  fault  FP  - f = FP  , GP  = 1 or 

l ’ •»  X X X 

X and  for  all  tests  ty6T(y  GP  = X,  GP  =0  or  1.  Hence 

g1  n g2  n ...  n Gk  n gp’  t but  F1nF2n...nFknFp'cF1nF2n...nFk. 

12  k 

Proceeding  in  this  manner  for  other  faults  belonging  to  F fl  F fl  . . . 0 F , 
faults  F^  ,...,FV  may  be  found  so  that  G1  PG2  P ...  PGkPGP  P G**  P ... 
n GV  1 0,  but  F1fl  F2PI  ...  fl  Fkfl  FP  n Fq  n . • • n Fv  “ 0 Violating  the  sequen- 
tial d-fault  diagnosability  of  the  system.  Hence  there  must  be  some 
f € FLPI  FZn  ...  H Fk  such  that  GP  - 1 for  all  FP  € f F1  ,F2, . . . ,Fk]  , indicating 


that  1 F1 U F2 J ... U FK|  < n. 


Q.E.D. 


Theorem  2.3 


A strongly  connected  SMPT  system  is  d/ (n  - m)  diagnosable  without 
repair  for  some  m > 0 if  and  only  if  it  is  sequentially  d-fault  diagnosable 
with  repair. 

Proof : 

Follows  from  the  proofs  of  Corollary  2.2.2  and  Lemma  2.3. 

The  above  results  are  particularly  useful  for  the  systems  that 
have  been  studied  traditionally  like  the  single-loop  systems  or  the 
systems  [1].  All  these  studies  assume  that  a subsystem  or  unit  can  be 


T1  " 


G 

i G 
| G 
t 0 


I D 


G 

0 

' D 

*1  0 

’ i 

Is-') 


tested  completely  by  another  unit.  This  would  imply  that  when  more  units 
are  employed  to  test  some  unit  each  of  the  units  performs  a complete  test, 
independent  of  the  other  testing  units.  Such  systems  are  hence  SMPT 
systems.  Most  of  the  systems  studied  also  tend  to  be  strongly  connected, 
although  there  appears  to  be  no  reason  for  this  to  be  necessarily  true  in 
practice. 

Theorem  2.4 

A connected  SMPT  system  is  sequentially  d-fault  diagnosable  only 
if  it  is  d/ (n  - m)  diagnosable  without  repair  for  some  m > 0. 


Proof : 


Since  the  system  is  connected  every  fault  must  have  some  test 


which  is  invalidated  by  another  fault.  However,  there  may  exist  faults 
which  do  not  invalidate  any  test.  The  proof  then  is  exactly  the  same  as 
that  for  Lemma  2.3. 

It  is  not  difficult  to  obtain  a counterexample  for  the  converse 
of  Theorem  2.4.  Thus  sequential  d-fault  diagnosability  is  a sufficient, 
but  not  necessary,  condition  for  d/(n-l)  diagnosability  in  a system.  This 
means  then  that  in  systems  where  one  unit  can  be  tested  completely  by 
another,  the  problem  of  finding  one  good  unit  is  never  more  difficult  than 
that  of  finding  one  bad  unit 
Example  2.4 

The  five-node  single-loop  system  of  Example  2.2  is  an  SMPT  system 
because  there  does  not  exist  a set  of  two  faults  [f^,f^}  such  that  f^  f f^ 
and  T(f^)flT(fj)  t 0.  It  was  mentioned  that  this  system  is  2/3  diagnosable 
with  repair.  Since  n * 5,  by  Theorem  2.3,  m > 0 and  hence  the  system  must 


18 


be  sequentially  2-fault  diagnosable  with  repair  This  is  indeed  the  case, 
as  seen  from  Theorem  5 in  the  paper  by  Preparata,  Metze  and  Chien  [1]. 


Example  2.5 

Consider  a general  n-node  single  loop  system.  If  n satisfies  the 
2 

condition  that  n > (m+ 1)  + \(m+l)  for  some  integer  value  of  m and  X - 0,1 

then  Preparata  [2]  has  shown  that  the  diagnosability  with  repair  of  the 

system  must  be  at  least  d = 2m  + X . Let  3 = f fQ,f ^, . . . , f n_^} > T ~ 

ft  ,t.,,...,t  ,1,  t(f.)  * t.  and  T (f . ) * t...  i = 0,l,...,n-l.  Then 

l o 1 n-l;  s i i l i+1  mod  n, 

a syndrome  can  be  expressed  as  a vector  where  each  element  is  a 0 or  a 1 

and  the  ith  element  corresponds  to  the  result  of  test  i. 

Consider  any  syndrome.  The  (n-l)th  element  will  be  considered 

adjacent  to  the  0th  element.  It  can  be  shown  that  the  length  of  the 

largest  consecutive  string  of  0's  in  any  valid  syndrome  assuming  no  more 

than  d faults  must  be  at  least  m+  1.  If  the  tests  corresponding  to  this 

string  are  ft  , t t ,,t  "1  where  q - p mod  n m then  the  fault  f 

° <•  p p+1  q-1  q->  q 

must  be  absent  or  else  there  would  be  at  least  d+1  faults.  Hence  the 
system  is  at  least  d/(n-l)  diagnosable  with  repair,  as  suggested  by 
Theorem  2.3.  □ 

Example  2.6 

The  following  example  (Figure  2.3)  shows  that  a system  is  d/ (n-m) 
diagnosable  without  repair  is  not  necessarily  sequentially  d-fault  diagnosable. 
It  may  be  verified  that  the  syndrome  {0101010}  as  the  outcome  of 

tests  £ , C2* Can  resu*-t  on^y  from  the  absence  of  fault  f^  if 

no  more  than  3 faults  can  occur  simultaneously.  The  system  is  however  not 
sequentially  3-fault  diagnosable.  □ 


I 


A subsystem  s'  * G?'  >J'  ,F'  ,G' ) of  a system  S * (3,J,F,G)  is 
defined  as  a system  in  which 

(i)  3'  <=  3,  j'  = J,  F1  <£  F,  G'  <=  G,  and 
(ii)  if  t^J-' , then  f^,f ^ € 3'  where  t.  6 tCf^,)  and  tj€l(fi),  i.e., 

for  every  test  from  S that  is  included  in  S',  the  fault  for  which 
it  is  a test  and  all  the  faults  that  invalidate  the  test  must  be 
included  in  S'  also. 

Theorem  2.5 

A system  S = (3».T,F,G)  is  d/(n-l)  diagnosable  without  repair  if 
and  only  if  there  exists  a subsystem  S1  * (3* ,j'  >F' ,G' ) of  S with  1 3 * | * z, 
such  that  S'  is  (d  - n+ z)/(z  - 1)  diagnosable  without  repair. 

Proof : 

If  such  a subsystem  exists  then  by  simply  considering  the  subset 
j'  of  tests  in  J,  the  absence  of  a fault  can  be  ascertained  because  the 
assumption  of  at  most  d-  (n-z)  faults  in  S'  implies  at  most  d faults  in  S. 
Conversely,  assume  that  there  does  not  exist  a subsystem  which  is 
(d  - n+ z)/(z  - 1)  diagnosable.  Then  there  exist  faults  {F*,F^}  c F(d-n  + z) 
such  that  |FiU  Fj|  > z-1,  G*"  P!  G"^  t 0 and  { F* , F^ } c F 1 (d  - n + z ) for  some 
subsystem  S'  of  S.  Consider  the  faults  FP  * F^uCS-?'}  an<*  F<*  * 

F^  U • Clearly  GP  - Gq  - X for  all  tests  t €T(3-3')-  Since 

s s s 

|3”3'|  ■ n - z,  | FP  U Fq|  > n - 1,  but  GP  [~\  Gq  t 0,  contradicting  the 
assumption  that  S is  d/(n-l)  diagnosable.  Q.E.D. 

The  necessity  of  the  condition  in  Theorem  2.5  implies  that  to 
build  a system  in  which  a good  unit  can  always  be  found,  under  the  assump- 
tion that  no  more  than  d faults  can  occur,  there  must  exist  a "kernel"  in 
the  system  in  which  a good  unit  can  always  be  found  assuming  that  the 








21 

number  of  faults  is  no  more  than  a certain  maximum,  which  depends  on  the 
number  of  units  in  the  kernel. 

A self-testine  system  S * F,G)  is  defined  as  one  in  which 

T(3>)  * t(3>),  i.e.,  every  test  in  the  system  is  invalidated  by  some  fault  in 
the  system. 

Theorem  2.6 

A necessary  condition  for  a self-testing  system  S ■ (7,J", F,G)  to 
be  d/ (n  - 1)  diagnosable  without  repair  is  that  n a 2d  + 1. 

Proof: 


1 


u 


1 


Let  n £ 2d.  Then  consider  a fault  Fk  such  that  |Fk|  M n.  Let  F*, 

F^  be  nonempty  disjoint  fault  patterns  such  that  F^ ,F'J  € F(d)  and  F^U  * Fk. 

and  th^T(F  ),  it  must  be  that 

t^^T(F^)  from  the  self-testing  nature  of  the  system.  Hence  * X. 

Similarly  * 1 implies  g5  * X.  This  means  that  G*  P G^  t 0 in  spite  of 
n n 

the  fact  that  |Fi|jF^|  > n - 1.  Hence  the  system  is  not  d/ (n  - 1)  diagnosable 

without  repair.  Q.E.D. 

Ic  k 

For  a fault  pattern  F , the  complement  of  the  pattern  F is 

k k 

defined  as  the  set  of  faults  7-  {F  }.  A fault  pattern  F is  said  to  be  a 
masking  pattern  if  and  only  if  every  complete  test  in  J for  each  fault  in 
[Fk}  is  invalid  in  the  presence  of  Fk,  i.e.,  tCF^J^TCF^).  The  cardinality 
of  the  smallest  masking  pattern  in  F is  termed  the  system  masking  index, 
denoted  by  M(S). 

Theorem  2.7 

For  a system  S to  be  d/ (n  - 1)  diagnosable  without  repair, 


Suppose  some 


1. 


Since  t.  €t(F  ) 
n 


d £ M(S)  < n. 


22 


u 

0 

0 

0 

0 

0 

a 

y 


0 

0 

n 

u 

0 

D 

0 

0 


Proof : 

If  {FP}  - 3,  then  FP  - 0 and  t(0)  - 0C  T(FP).  Hence  M(s)  ills 

obvious.  Assume  that  M(S)  < d.  Then  there  exists  a fault  Fq€F(d-l)  such 

that  t(Fq)  C T(Fq) . Consider  the  faults  F1  - FqUf1,  Fj  - FqUf2>...,  Fk  - 

FqUfr>  where  Fq  * {f ^,f  • ,f  r} . Clearly  F1-^  , . . . ,Fk€  F(d)  because 

Fq£F(d-l).  Also  FinF^D...DFk  * 0.  For  any  test  t €t(f  ),  where 
X X 

f € Fq,  Gq  - X because  t € T(Fq) . Hence  Gq  fl  G1  (1  n . • • fl  Gk  f 0 and 

X X X X X X X 

| Fq  U F*U  ...  U Fk|  * n.  But  this  implies  that  the  system  is  not  d/(n-l) 

diagnosable  without  repair.  Q.E.D. 

Lemma  2.8.1  [4] 

A system  S * (3,J",F,G)  is  d-fault  diagnosable  with  repair  if  and 
only  if,  for  any  F*,F^ , . . . ,Fk  6 F(d)  , F*  D F-^  fl  . . . fl  Fk  * 0 implies 

g1  n gj  n ...  n Gk  - 0. 


Lemma  2.8.2  [4] 

i i k 

Let  £F  ,FJ,...,F  } c F(d)  be  any  set  of  two  or  more  fault  patterns 

i i k 

which  is  minimal  with  respect  to  the  property  that  F fl  FJ H . . . F * 0. 

Then  | F1  U Fj  U . . . U Fk|  s L(^~) 2J  . 


Theorem  2.8 

A sufficient  condition  for  a system  S to  be  d/ (n  - 1)  diagnosable 
without  repair  is  that  S be  d-fault  diagnosable  with  repair  and  n 2 l(^pO  J . 
Proof : 


Let  S - (3,.T,F,G)  and  let  {Fg,Fh, . . . ,Fq}  C F(d)  such  that 

[f®(JF^U  ...  UFq|  ■ n.  Contained  in  that  set  is  a subset  of  two  or  more 

faults  [F^.F^  , . . . ,Fk]  such  that  F*- fl  F1^  fl  . . . fl  Fk  * 0 (by  Lemma  2.8.2).  Since 

i 1 k 

S is  d-fault  diagnosable  with  repair,  by  Lemma 2. 8.1,  G fl  GJ  ("I  ...  IH  G * 0. 
Hence  G®  P G*1  fl  • • • PGq  ■ 0,  satisfying  Theorem  2.1(a).  Q.E.D. 


i 

i 


J 


23 


I:  . i 


I ^ 

E o 


This  example  shows  that  a system  which  is  d-diagnosable  with 
repair  but  for  which  n < U^T-)^  is  not  necessarily  d/(n  - 1)  diagnosable 
without  repair.  Consider  the  diagnostic  graph  of  Figure  2.4. 

In  this  system,  the  fault  f^  can  be  detected  unambiguously  by  test 
t^,  which  cannot  be  invalidated.  If  f^  is  absent  then  t^  will  give  a 
reliable  result,  while  if  f^  is  absent  tests  t2  and  t3  cannot  be  invalidated. 
Thus  at  least  one  fault  can  always  be  detected  (irrespective  of  the  number 
of  faults  in  the  system).  However  a syndrome  like  (11111)  cannot  indicate 
the  absence  of  a fault  unambiguously,  even  if  there  can  be  no  more  than  3 
faults  simultaneously  occurring  in  the  system.  □ 

A fault  pattern  F is  closed  if  and  only  if  every  complete  test  in 

k k 

J for  each  fault  in  F is  invalid  in  the  presence  of  F [4],  i.e., 

t(F^)  c T(F^).  The  implication  1^  of  a fault  F^  is  the  cardinality  of  the 

smallest  closed  fault  pattern  in  F containing  the  fault  F^.  The  system 

implication  index.  I(S),  is  defined  as  the  cardinality  of  the  largest 

implication  for  faults  in  F. 

The  system  closure  index  [4]  denoted  by  c(S)  is  the  cardinality 
of  the  smallest  closed  fault  pattern  in  F. 

Lemma  2.8.3  [4] 

A sufficient  condition  for  a system  S to  be  d- fault  diagnosable 
with  repair  is  that  c(S)  > 1_(^|^)2J*  For  d * n,  S is  n-fault  diagnosable 
with  repair  if  and  only  if  c(S)  * ®. 


Corollary  2.8:  A sufficient  condition  for  a self-testing  system  S to  be 
d/(n-l)  diagnosable  without  repair  is  that  c(S)  > L(^rO  J • 


25 


'1 

u 


[} 


| U 
1 D 


1 D 

i 0 

A s 


!j  a 

i 


Proof : 


By  Lemma  2.8.3,  the  system  must  be  d-fault  diagnosable  with  repair. 


2 

Since  S is  self-testing,  c(S)  £ n,  implying  that  n > LC-j*’)  J«  By  Theorem 


2.8  the  system  must  hence  be  d/(n-l)  diagnosable  without  repair.  Q.E.D. 


Lemma  2.9.1 


i 1 k 

For  a system  S * (3,,T>F,G)  let  F ,F,...,F  € F be  two  or  more 
fault  patterns  such  that  F1  f|  fl  . . • fl  Fk  * 0,  and  FP  - Fi(J  Fj  U . . . U Fk.  If 
|FP|  < IP  then  G1  n Gj  n ...  n Gk  - 0. 


Proof : 


Since  FP  is  not  closed,  there  exists  some  test  t^6t(Fp)  such  that 
t^T(FP).  Let  tj€t(ffa).  Then  f^  g FP  and  since  F*  f]  F-^  fl  • • • fl  Fk  * 0,  there 
exist  F8,Fh€  {F^F^  , . . . ,Fk}  such  that  f^F8,  ffa^Fh.  Since  t ^ f.  T(F8)  and 


tj  *T(Fh),  G8  P Gh 


Q.E.D. 


A single  test  per  fault  (STPF)  system  is  one  in  which  every  fault 


has  one  and  only  one  test,  i.e.,  |t(f^)|  * 1 for  every  f^€3. 


Theorem  2.9 


For  a connected.  STPF  system  S,  a sufficient  condition  for  d/ (n  - 1) 


diagnosability  without  repair  is  that  I(S)  > ^(*—-)  J. 


Proof : 


Consider  a set  of  faults  [F8,Fk, . . . ,F^}  c F(d)  such  that 


|F®uF^U  ...IJF^|*  n.  Since  I(S)  > J there  must  exist  a fault  f 63 

2 l p 

such  that  I(fp)  “ I(S)  > LC^jp)  J.  Hence  there  must  exist  at  least  J faults 


^,^,...,^€3  such  that  I(f x)  - I(fp)  - I(S),  I(f2)  * I(S)  - 1, 


I(f3)  2 I(S)  - 2,  ....  I(fj)  a I(S)  ■ j + 1,  j S I(S).  Since  I(f1)  > 
LC^1)  J,  it  must  also  be  the  case  that  I(f-)  > J>  I(f,)  > 


L(Cdr|}+2>2J  t 1(f  ) > L(td~?)+2)2J.  Now  let  {Fi,Fj,...,Fk}  be  a 


I 


26 


u 

0 

D 

0 


0 

D 


!. 


a 

D 

0 

D 

1 
i 
i 


subset  of  faults  in  which  is  minimal  with  respect  to  the 

property  Fif|Fjn  ...flFk  - 0 and  f eF^F^U  ..-UFk>  f£€FgnFhn  ...(lFq 
for  i > r.  There  must  exist  such  a fault  fp  (because  |FgDF  f|  . . .f)F^|  > d 
otherwise).  Clearly,  | F1  U Fj  U . . . U Fk|  u L(-~£|--+'2)2J  by  Lemma  2.8.2. 
I(Fi,Fj,...,Fk)  2 I(fr)  > L(^-^^+2)2J.  Hence  | F^  Fj  U . • . U Fk|  > 
I(Fi,F'^,...,Fk),  which  by  Lemma  2.9.1  implies  that  G*  (1  P . . . n Gk  ■ 0. 
This  in  turn  implies  G®pG1'n  •••  P * 0 and  hence  the  system  S must  be 
d/ (n  - 1)  diagnosable  without  repair.  Q.E.D. 

Example  2.8 

Reconsidering  the  system  of  Example  2.6,  the  diagnostic  graph  for 

which  is  shown  in  Figure  2.3,  the  following  may  be  noted. 

The  implication  for  the  various  faults  is  as  follows:  iCf^)  * 6, 

I(f2)  - 6,  I(f3)  - 6,  I(f4)  * 6,  I(f5)  - 6,  I(f6)  =■  6,  I(f?)  - 7.  Hence 

the  system  implication  index  is  given  by  I(S)  “ I(f7)  = 7. 

By  Theorem  2.9,  the  system  must  be  3/6  diagnosable  without  repair, 

since  (^“)^|  * 6 7 and  I(S)  “ 7. 

2 ‘<1*3  4 

On  the  other  hand  the  system  closure  index  is  only  6 and  this  does 
not  satisfy  Russell  and  Kime's  condition  [4]  that  c(s)  > L(~— ) J.  Hence 
the  system  is  not  3-fault  diagnosable  with  repair.  Both  these  results  are 
in  keeping  with  the  observation  in  Example  2.6  that  a syndrome  for  3 faults 
exists  for  which  the  absence  of  some  fault  can  be  guaranteed  but  no  fault 
can  be  unambiguously  identified.  □ 

2.4.  Discussion 

By  using  a general  fault  model  first  developed  by  Russell  and 
Kime  [4],  the  theory  has  been  developed  in  this  chapter  for  detecting  the 


I 


13 


; ; 


1 

t 


i\ 


absence  of  a fault  In  a system.  In  distributed  systems,  the  detection  of 
the  absence  of  a fault  is  equivalent  to  the  detection  of  a fault-free  unit. 
The  relationship  between  this  problem  and  that  of  d-fault  diagnosability 
with  repair  (or  the  problem  of  finding  a faulty  unit  in  the  system)  has  been 
detailed. 

The  basic  necessary  and  sufficient  conditions  for  the  confirmation 
of  absence  of  a fault  have  been  derived.  With  the  help  of  a parameter 
termed  the  system  implication  index,  more  convenient  sufficient  conditions 
have  also  been  developed. 


3.  DIAGNOS  ABILITY  AND  SYSTEM  DECOMPOSITION 


3.1.  Introduction 

The  general  techniques  for  determining  diagnosabiiities  of  systems 
with  or  without  repair  or  for  determining  the  faulty  units  given  the 
syndrome  are  not  very  efficient.  For  particular  cases,  as  in  Karunanithi 
and  Friedman  [18]  or  Smith  [19],  algorithms  may  be  found  which  take  poly- 
nomially-bound  time  for  execution.  In  most  general  cases,  however,  the 
complexity  of  the  solution  techniques  becomes  unpractically  high  as  the 
number  of  system  components  becomes  large. 

One  possible  approach  to  the  problem  would  be  to  break  down  the 
problem  into  smaller  parts,  so  that  the  analysis  of  the  parts  can  be 
performed  in  parallel.  However,  interaction  between  the  parts  must  be 
considered  in  many  cases.  This  can  be  done  by  considering  the  results  from 
the  various  parts,  rather  than  the  detailed  network  configuration. 

Two  advantages  result  from  using  such  a hierarchical  approach. 

First,  the  ability  to  introduce  parallelism  in  the  algorithm  implies  more 
efficient  algorithms  for  analysis.  Second,  the  complexity  of  the  global 
analyzer  decreases  because  of  the  smaller  problems  which  it  now  has  to  handle. 
This  translates  to  a reduced  "hard-core"  requirement  for  purposes  of  diagnosis. 

An  approach  in  this  direction  was  made  by  McPherson  and  Kime  [20] 
who  modified  the  Russell  and  Kime  approach  [4,5]  so  that  each  fault  was 
identified  with  a "part"  of  the  system.  It  was  also  assumed  that  no  more 
than  a certain  number  of  faults  could  occur  in  a given  "part"  of  the  system. 

This  section  will  present  some  results  which  help  in  giving  an 
idea  of  the  diagnosability  (with  or  without  repair)  of  systems  composed  of 


subsystems  of  known  diagnosabiiities. 


29 


3.2.  STPF  and  SMPT  Systems 

For  STPF  (s ingle- test-per- fault)  and  SMPT  (single-mask-per-test) 
systems,  the  problem  of  finding  the  diagnosability  of  composite  systems, 
given  subsystem  di?gnosabiiities,  p'ooably  somewhat  simpler  than  for  the 
general  case. 

Lemma  3.1.1  (Russell  and  Kime  [4]) 

An  STPF  system  S is  d-fault  diagnosable  with  repair  if  and  only 
if  the  closure  index  of  the  system  c(S)  > |_(^^)  J* 

A composite  system  S * G5»J"»F,G)  of  two  composing  subsystems  S * 

A 

(3^»J"a»Fa,Ga)  and  Sg  * ^b^B’^B’^B^  is  said  t0  C^at  system  which  3 * 

W ^2^,.  {T(3A)-TA(5A)}nt(3A)  - 0 and  [ T (3g)  - Ig  (SFg) } H t (3  ) - 0. 

If  D,  and  Dg  are  the  diagnostic  graphs  for  S,  S^  and  Sg  respectively  then 

the  last  two  conditions  imply  that  the  only  edges  in  D which  are  not  in 

either  D.  or  D„  are  the  ones  between  nodes  in  DA  and  those  in  D„. 

A B A B 

Example  3.1 

Figure  3.1  shows  a sample  composition  of  two  subsystems,  S.  and 

A 

Sg.  The  diagnostic  graphs  for  the  two  composing  systems  are  depicted  in 
Figures  3.1(a)  and  (b).  The  composite  system  whose  diagnostic  graph  is 
shown  in  Figure  3.1(c)  has  interconnections  in  such  a way  that  exactly  two 
faults  in  each  subsystem  are  invalidated  by  exactly  two  faults  in  the  other 
subsystem.  Thus 

3A  " ffl,f2,f3,f4^ ’ 3B  * f f 5 * f 6 ’ f 7 * f 8 * f 9^  » 

3-  (fl»f2»£3,f4»f5»£6»f7»f8»£9}» 

^A  ftl*t2*t3,t4^*  ^B  tt5,t6,t7’t8,t9^; 

I - [tl»t2,t3,t4,t5,t6,t7,t8,t9,t10,tll}. 


31 


Lemma  3.1*2 


n 


0 

*1  fi 


The  closure  indices  of  the  composing  subsystems  S.,  SD  and  the 

A D 

composite  system  S are  related  by  c(S)  £ min  (c(S  ),c(S  )). 

eL  O 

Proof : 

If  c(S.)  = c(S  ) * ® then  assume  that  c(S)  is  finite.  Let  Fg  be 

A O 

a closed  set  of  faults  in  S.  Let  Fh  be  the  set  of  faults  such  that  F*1  31 

F®fl5.  • Such  a set  must  exist  or  else  there  exists  a closed  set  of  faults 
A 

in  S„.  Since  J is  not  closed,  there  must  exist  some  test  t.  € t (F  ) such 
BA  1 A 

that  t^^T^(F^).  By  the  definition  of  a composite  system,  t^TCF®)  either, 

2 

implying  that  F cannot  be  closed. 

If  either  c(S.)  or  c(S  ) is  finite,  then  assume  that  c(S)  < 

A D 

min  (c  (S.  ) ,c  (S,,) ).  The  argument  is  now  similar  to  the  one  made  in  the 
preceding  paragraph.  Let  Fg  be  a closed  set  of  faults  in  S such  that 
| FS|  < min  (c(S  ),c(S  )).  Let  F^  be  the  set  of  faults  such  that  F*1  = F^Hgt^. 

A O 

Such  a set  must  exist  or  else  F would  be  a closed  set  of  faults  in  Sg  with 

li  h 

cardinality  less  than  c(S„).  Since  |F  | < c(S  ),  F is  not  closed  and  there 

exists  some  test  t.  €t.(F  ) such  that  t.  ^ T.  (F  ).  By  the  definition  of  a 
i A l A 

composite  system,  ti ? T(F®)  either,  contradicting  the  assumption  that  Fg  is 


closed. 


Theorem  3.1 


Q.E . D. 


The  diagnosability  with  repair  of  a composite  system  is  at  least 
as  large  as  the  smaller  of  the  diagnosabilities  of  its  two  composing  systems, 
if  the  composing  systems  are  STPF  systems. 


Proof : 


By  Lemma  3.1.2  c(S)  S:  min  (c (S . ) ,c (S_) ) . Let  d.  and  d_  be  the 

A B A B 


diagnosabilities  of  S.  and  respectively*  Then  c(SA 

A B A 


(S.)  > 


32 


r 

* n 


I fl 


1 

I - u 


o 


|/dB+2\2| 

c (Sg)  > L\ — — ' -I*  Let  ^ be  the  diagnosability  of  the  composite  system. 
Since  c(S)  > min  ) J , it  must  be  that  c(S)  > 

[^min(dA,dB)+2')2| 

L\ ^ ' J > d and  d both  being  positive  integers.  A sufficient 


d and  d both  being  positive  integers.  A sufficient 
A.  B 


condition  for  the  d-diagnosability  of  a system  with  repair  is  c(S)  > L<^)2J 
by  Lemma  2.8.3.  Hence  d 2 min  (d.,d0).  Q.E.D. 

A D 

Lemma  3.2.1 

The  diagnosability  with  repair  of  a system  S whose  closure  index 
is  c(S)  is  at  least  [_v'4c(S)-3  - 2J  . In  the  special  case  when  c(S)  * ®,  the 
diagnosability  with  repair  is  n. 


Proof : 


Follows  from  Lemma  2.8.3  and  some  routine  mathematical  computation. 


Lemma  3.2.2  [4] 

A necessary  condition  for  a system  S to  be  d-fault  diagnosable 
with  repair  is  that  the  closure  index  for  the  system  c(S)  2 2d  + 1. 

Lemma  3.2.3 

In  a strongly  connected  self-testing  SMPT  system,  c(S)  = n,  where 
n is  the  number  of  faults  in  the  system. 


Proof : 


Let  FS€  F be  a closed  set  of  faults  in  S.  Assume  that  |f8|  < n. 


Then  by  the  strongly  connected  nature  of  the  diagnostic  graph,  there  must 

exist  a fault  f^€3,  such  that  T(fi)pt(F8)  f 0.  Let  t^St(fj)  be  the  test 

such  that  t 6 T(f fl  t (F8) . By  the  SMPT  assumption,  there  exists  no  other 

fault  f,  €3,  f .+  f , such  that  T(f  ) = t,.  Hence  t.^T(F8)  and  t(FS)tf  T(F8) 
K.  K 1 K.  J J — 

a 

implying  F cannot  be  closed.  Thus  the  only  closed  set  of  faults  in  the 
system  is  3,  | gr|  = n,  and  c(S)  ="  n.  Q.E.D. 


* ^ ^ 


Theorem  3.2 


If  d^  and  dg  are  the  diagnosabilities  with  repair  of  two  composing 

subsystems  SA  and  S of  a strongly  connected  self-testing  SMPT  composite 
Ad 

system  S,  then  the  diagnosability  with  repair  of  S is  at  least 

[y8(dA+dB)+5  - 2J. 

Proof : 


If  the  composite  system  is  SMPT,  then  the  composing  systems  must 

also  be  SMPT.  Since  the  diagnosabilities  with  repair  of  S.  and  S^  are  d 

and  d , |3  | a 2d  + 1 and  | gt  I 2 2d  + 1 by  Lemma  3.2.2.  Hence  ) 3: 1 i 

d A A d ' 3 

2(d.+d  +1).  Hence  c(S)  = |g;|  2 2(d  +d  +1)  by  Lemma  3.2.3.  From  Lemma 

Ad  Ad 

3.2.1,  it  then  follows  that  the  diagnosability  with  repair  of  the  system  is 

at  least  L/4.2(dA+dB+l)-3  - 2J  orl78(dA+dB)+5  - 2J.  Q.E.D. 

It  must  be  noted  here  that  the  knowledge  of  c(S)  for  the  composite 

system  will  give  a better  lower  bound  for  the  diagnosability.  The  above 

theorem  is  useful  when  nothing  is  known  about  the  composing  subsystems 

except  their  diagnosabilities. 

Theorem  3.3 

If  d^  and  dg  are  the  maximum  diagnosabilities  with  repair  of  two 
composing  subsystems  and  Sg  of  a strongly  connected  self-testing  SMPT 
composite  system  S,  then  the  diagnosability  with  repair  of  S is  at  most 
L(dA+3)2/8  + (dg+3)2/8  - ij. 

Proof : 


Since  the  diagnosabilities  with  repair  of  S and  S are  d.  and 
, .ABA 

11  ' '(dg+l)+2\2| 


B’ 


L(^)J 


and  3 


B 


Hence  | g:  | s: 


L(d.+3)2/4  + lj  + L(d  +3)2/4  + lj  . Since  d is  an  integer,  (d  +3)2/4  - 
A a A A 

L(dA+3)2/4j  is  either  0 or  Hence  it  is  valid  to  say  that 


34 


0 


< H 


|3|  £ |<dA+3)2/4+  (dg+3)2/4  - lj.  From  Lemma  3.2.2  it  then  follows  that  the 
diagnosability  with  repair  of  S is  at  most  ~ L<  dA+3)2/4+  (dg+3)2/4  - 2_|  or 
j_(dA+3)2/8  + (dB+3)2/8  - lj.  Q.E.D. 


Example  3.2 


Consider  the  composite  system  shown  in  Figure  3.2  which  is 
composed  of  two  single-loop  subsystems  3A  = and  = 

Cf4,f5,f6,f7,f8^  * * ~ ? B = {t9>tio}* 

It  can  be  easily  shown  [4]  that  dA  =*  1 and  d^  = 2.  By  Theorem 

3.2,  di  [_A/8(dA+dB)+5  - 2_1-  Hence  d at  [*/S*3+5  -2}  * |_5 . 38  - 2_J  = 3 . By  Theorem 

3.3,  ds  |_(dA+3)2/8+ (dB+3)2/8  - lj.  Hence  ds  [_16/8  + 25/8  - lj  - 4. 

(It  may  be  verified  that  the  actual  diagnosability  with  repair  of 
the  composite  system  is  3.)  □ 

Theorems  3.2  and  3.3  are  useful  in  determining  the  upper  and 
lower  bounds  on  the  diagnosability  of  a system  constructed  from  two  systems 
of  known  diagnosabilities.  It  must  be  mentioned  that  the  requirement  that 
the  composite  system  be  SMPT,  strongly  connected  and  self-testing  is  some- 
what restrictive;  however,  most  of  the  systems  that  have  been  considered  in 
the  literature,  like  the  single  loop  systems  and  the  D^A  systems  [1,18] 
fall  in  this  category. 

3.3,  General  Cases 

For  the  more  general  cases,  direct  results  like  those  obtained 
for  the  SMPT  case  are  more  difficult  to  obtain.  Usually,  the  closure  index 
for  a subsystem  would  be  smaller  than  the  number  of  faults  in  the  single 
fault  set.  In  such  cases,  the  extent  to  which  the  diagnosability  of  the 
composite  system  is  greater  than  that  of  the  composing  subsystems  depends 
on  how  thr*  subsystems  are  connected. 


36 

Lemma  3.4  [4] 

A system  S ■ (3!,J‘»F,G)  is  d-fault  diagnosable  with  repair  if  and 
only  if,  for  any  F*,F^  > • • • >Fb  6 F(d)  , F*  f|  F^  f|  • • • fl  Fk  “ 0 implies 
g1  n gj  n n Gk  - 0. 

A more  general  version  of  Theorem  3.1  may  now  be  stated. 

Theorem  3.4 

The  diagnosability  with  repair  of  a composite  system  is  at  least 
as  large  as  the  smaller  of  the  diagnosabilities  of  its  two  composing 
subsystems. 

Proof : 

Let  the  system  be  S a (3>J‘>F,G)  and  its  two  composing  subsystems 

be  SA  - <3A’j’a,FA,GA)  and  SB  “ ^B’^B^B’S^*  Let  d’  dA  and  dB  be  the 

diagnosabilities  of  s,  S.  and  S_.  Without  loss  of  generality  it  could  be 

A B 

assorted  that  d^  d^.  Consider  a set  offaults,  { Fm,Fn, . . . ,Fr)  c F(d^)  such 

that  Fmn  Fnn  ...  n Fr  = 0.  Hence  Fmn  Fnn  ...  n Frn  3A  “ 0-  Let  F1  - 
F™  (1  3a>  Fj  * •••»  Fk  - Fr  fl  3?a*  Clearly,  { Fi,Fj,...,Fk>  cFA(dA)  and 

F1  n FJ  n • . • n Fk  =“  0.  By  Lemma  3.4,  g!  (1g|  fl  ...  ("I  <£  “ 0 • By  the 
definition  of  a composite  system,  no  fault  in  3 can  mask  a test  . 

Hence  G™  p Gn  P ...  n Gr  * 0.  Since  { Fm,Fn, ...  ,Fr}  c F(dA>  and 
Fmn  Fnn  ...  n Fr  =*  0 implies  G™  n G*1  (1  . • • H G*  - 0 , S must  be  default 
diagnosable  with  repair.  Q.E.D. 

It  is  not  difficult  to  find  examples  of  systems  which  have 


diagnosabilities  as  small  as  the  diagnosability  of  one  of  the  composing 

subsystems.  The  case  when  T - J UJ*  Provides  one  such  example. 

A B 

Similarly,  given  a system,  one  may  be  interested  in  augmenting 
the  diagnosability  of  the  system  by  adding  additional  tests  and  testing 


MB 


units.  This  would  imply  the  augmentation  of  the  diagnostic  graph  for  the 
system,  with  additional  fault  nodes  and  links  representing  tests.  From  the 
above  reasoning  it  may  be  clear  that  certain  types  of  augmentation  of  the 
system  diagnostic  graph  may  not  improve  the  diagnosability  of  the  system  at 
all.  Conversely  there  may  be  certain  "critical"  faults  in  the  system, 
adding  tests  for  which  could  help  in  improving  the  system  diagnosability. 

The  j-open  circuit  diagnosability  of  a system  S,  denoted  by 

d°(S)  is  defined  as  the  diagnosability  of  the  system  s',  which  differs  from 

S in  that  j'  = J’Ut,  , where  t,  is  a new  complete  test  for  f.  and  t.  is  not 

n n j h 

invalidated  by  any  other  fault  in  the  system. 

The  similarity  of  this  measure  with  the  open-circuit  condition  in 
conventional  electrical  networks  will  be  discussed  later.  The  significance 
of  this  measure  will  now  be  demonstrated. 

A subsystem  * ^l’^l’^l*  ®i^  *s  sa^  to  he  1- in-connected  to  a 
system  S ■ (3,J*, F,G)  if  in  the  composite  system  S'  * (31  ,j'  ,F'  ,G' ) there 
exist  some  faults  f^  and  f^  such  that  T(f^)flt(fj)  f 0 (i.e.,  f^  invalidates 
some  test  for  f^)  and  f^SF^,  f^  6 F.  Also,  in  this  case  would  be  said 
to  be  i-out-connected  to  system  S.  In  the  diagnostic  graph  for  the  composite 
system  this  would  be  indicated  by  an  arc  emanating  from  node  i and  directed 
into  node  j. 

Example  3.3 

Consider  the  system  whose  diagnostic  graph  is  shown  in  Figure  3.3. 
The  diagnosability  with  repair  of  the  system  is  3.  The  6 -open-circuit 
diagnosability  of  the  system  is  12,  while  the  10-open-circuit  diagnosability 
of  the  system  remains  3. 


I 

i 


* 

J 


1 

. 

I 

i 


Consider  the  syndrome  100010000000.  If  4 faults  were  allowed  in 
the  system,  then  both  [f^f^f^f^]  and  {fj,fg,f^}  could  have  yielded  the 
same  syndrome.  Hence  the  system  is  not  4-fault  diagnosable  with  repair. 
Since  c(S)  * 7,  the  system  is  3-fault  diagnosable  with  repair.  When 
another  test  for  fg  is  added,  and  this  new  test  cannot  be  invalidated,  then 
the  structure  of  the  graph  ensures  that  the  presence  of  at  least  one  fault 
can  be  detected  if  any  fault  occurs.  On  the  other  hand,  if  a new  test  is 
added  for  f^Q,  a fault  can  be  detected  only  if  at  most  3 faults  occur  or  if 
the  faults  which  occur  include  f^^  or  f^.  □ 

Theorem  3.5 

The  diagnosability  d of  a system  S can  be  improved  by  j-in- 
connecting  another  subsystem  to  S only  if  d°(S)  > d. 

Proof : 

Consider  the  composite  system  s'  obtained  by  j-in-connecting 
to  S.  Let  d',  the  diagnosability  of  S'  be  greater  than  d.  Since  d'  > d 
and  d°(S')  % d',  d°(S')  > d.  Consider  the  system  S2  = £3?2 *^"2 * F2 * G2^  where 
3?2  “ 3v  ^2  " ^l^h  where  ch^  j)  and  th^T(3).  Thus  th  is  a test  for 
f j that  is  not  invalidated  by  any  other  fault  in  the  system.  Let  * 
{33»J’3»F3,G3}  be  another  system  where  3 - 3'»  * j'  U th>  It  must  be  the 

case  that  d2  * d°(S')  > d and  d3  * d°(S)  a d.  Consider  the  set  of  faults 

{F8,Fh,...)FII]cF3(d  + l).  Since  33  CL  • • • >Fm}  c F£(d  + 1) , and 

since  S2  is  at  least  (d+1)  diagnosable  without  repair,  F^DF^fl  ...DF1”  ■ 0 
implies  G®  P Gh  P . ..  p Gm  - 0.  Since  [F8,Fh, . . . .F0}  <=  F.j(d  + 1)  and 
FSn  Fhn  ...  n Fm  * 0 implies  G8  p Gh  p ...  P G™  " 0,  S3  is  (d+1)  diagnosable 
with  repair  by  Lemma  3.4.  Hence  d°(S)  ^ d + 1. 


Q • £ • D • 


I Q 
0 

■I  a 

; D 

’ o 
n o 


4 s 


The  condition  mentioned  above  is  not  sufficient.  This  can  be 
illustrated  by  the  example  of  a STPF  composite  system  in  which  the  closure 
index  does  not  change  due  to  the  in-connection  of  one  subsystem  to  another. 


Example  3.4 


Figure  3.4  shows  a system  taken  from  [4]  which  is  2-fault 
diagnosable  with  repair. 

If  another  system  is  to  be  in-connected  to  the  system  shown  at 
Al,  then  no  improvement  in  diagnosability  can  result,  because  the  closure 
index  for  the  composite  system  can  be  no  greater  than  5.  (A  closed  set  of 
faults  is  {R1,C1,C2,R2,M1} . ) On  the  other  hand,  analysis  shows  that  d°^(S), 
the  open  circuit  diagnosability  for  fault  Cl,  is  9,  implying  that  an 
improvement  in  diagnosability  could  result  by  in-connecting  another  system 


to  Cl. 


Theorem  3.3  essentially  indicates  the  nodes  in  the  diagnostic 


graph  which  are  critical  in  the  sense  described  earlier.  Thus,  there  may 
exist  many  faults  in  the  system  , adding  tests  for  which  may  not  help  in 
augmenting  the  diagnosability  of  the  graph.  In  some  systems,  like  STPF 
systems,  the  closed  set  of  faults  which  define  the  closure  for  the  system 
is  the  "critical"  set. 

Depending  on  the  closure  indices  of  the  connecting  subsystem  and 
the  connected  subsystems,  the  diagnosability  of  the  composite  system  may  or 
may  not  be  greater  than  the  diagnosability  of  any  of  the  subsystems  even  if 
the  conditions  of  Theorem  3.5  were  satisfied.  An  intuitive  idea  of  this 
may  be  obtained  from  Lemma  3.1.3  from  which  we  may  observe  that  if  c(d,S) 
is  the  required  closure  index  to  ensure  d-diagnosability  with  repair  for  a 
system  S,  then  c(d+  1,S)  - c(d,S)  increases  as  d increases.  (This  increase 


is,  in  fact,  linear). 


42 


Generally,  when  two  subsystems  are  connected  together  to  form  a 

composite  system,  the  interconnections  between  the  two  subsystems  may  take 

various  forms.  The  interconnection  will  be  termed  directional  (S.  -•  S_), 

A B 

if  in  the  diagnostic  graph  of  the  composite  system,  all  the  edges  between 
the  two  subsystems  have  their  origin  in  one  subsystem  (S  ) and  are  directed 

A 

towards  the  other  subsystem  (S„).  The  interconnection  will  be  termed  non- 
directional  otherwise.  Two  subsystems  are  called  n-connected  if  there  are 
n edges  between  the  two  subsystems.  Thus  two  subsystems  which  are  non- 
directionally  2-connected  will  have  exactly  one  edge  emanating  from  each  of 
the  subsystems.  This  implies  that  a test  for  some  fault  in  each  of  the 
subsystems  is  masked  by  some  fault  in  the  other  subsystem. 

Theorem  3.6 

If  two  strongly  connected  SMPT  subsystems  S and  S are  direction- 

A O 

ally  interconnected,  S - S , then  the  diagnosability  of  the  composite 

A O 

system  must  be  at  least  as  large  as  the  diagnosability  of  S . 

A 

Proof : 

(We  assume  that  the  composite  system  remains  SMPT  for  tests  for 

all  faults  in  ) Let  [Fi,F^ , . . . ,F^}  c F(d)  be  a set  of  faults  in  the 

i j k 

composite  system  where  d is  the  diagnosability  of  S^.  If  [F  ,F  , ...,F  } c Fa 

ilk  i i k 

then,  by  assumption,  F DFJn...nF  =*  0 implies  G p GJ  p • • • P G =0. 

If  {FiU  FjU  ...  U Fk]  H F f 0 then  {F1 *  D F } fl  f Fj  fl  F } D ...nfFknF  } - 0 

A AJ  AJ  A 

i 1 k 

implies  G pGJp...pG  = 0 because  none  of  the  tests  for  faults  in  3^ 

are  invalidated  by  some  fault  in  3 . If,  on  the  other  hand, 

{Fi * *'J  F-^  1)  . . . U Fk}  H F^  * 0 and  F^  H F-^  fl  , . , fl  Fk  * 0,  then  there  exists  some 

fault  fp€F8,  fp*Fh,  where  F8,Fh  € f Fi,FJ  , . . . ,Fk}  such  that 

t(fp)  t T(FiU  FjU  • • •UFk).  This  is  true  because  otherwise  F*  U F^  u • • • U Fk 


u 


would  be  a closed  set  of  faults  with  cardinality  less  than  (g^l  which 
contradicts  the  strongly  connected  SMPT  assumption  for  the  subsystem.  If 
t(fp)  * tp  then  clearly  n * 0 and  hence  the  composite  system  must 


remain  at  least  d-diagnosable  with  repair. 


Q.  E.  D« 


An  interesting  facet  of  Theorem  3.6  is  that  the  result  does  not 
depend  on  the  diagnosability  of  S_,  as  long  as  S is  strongly  connected  and 
SMPT.  In  fact,  it  may  also  be  seen  that  it  is  not  necessary  for  to  be 
strongly  connected  or  SMPT.  The  following  corollaries  to  Theorem  3.6  can 
be  easily  proved. 

Corollary  3.6.1;  If  a subsystem  S^  with  diagnosability  d is  directionally 
interconnected,  S.  — S_,  to  a strongly  connected  SMPT  subsystem  SD,  the 
diagnosability  of  the  composite  system  is  at  least  as  large  as  d^»  the 
diagnosability  of  S^. 

Corollary  3.6.2:  Let  d^  and  dg  be  the  diagnosabilities  of  the  two  com- 
posing subsystems  of  a strongly  connected  SMPT  composite  system  with  non- 
directional  interconnection.  The  diagnosability  d of  the  composite  system 
obeys  the  relation  d 2 max  (d^,dfi). 

The  above  result  is  useful  in  the  sense  that  it  gives  an  assurance 
that  the  diagnosability  in  a SMPT  system  can  never  deteriorate  by  inter- 


connecting with  other  SMPT  systems  of  any  size.  In  fact,  the  proof  of 
Theorem  3.6  indicates  that  there  are  other  systems  for  which  similar 


11 

d a 


results  may  be  obtained. 

Theorem  3.7 

If  two  subsystems  are  directionally  interconnected,  S.  -•  S , and 

A B 

the  closure  index  of  S_  is  Ig  I , then  the  diagnosability  of  the  composite 

B * B 


system  must  be  at  least  as  large  as  the  diagnosability  of  S^. 


44 


3 


Proof : 


Almost  identical  to  that  of  Theorem  3.6. 


Let  S,  be  a single-loop  system  consisting  of  10  nodes  and  S be 
A B 

an  arbitrary  S node  system  with  closure  index  of  5.  Let  the  directional 

interconnection  S.  -•  S be  as  shown  in  Figure  3.5. 

A B 

The  diagnosability  of  S.  is  4.  The  closure  index  for  the  com- 
posite  system  may  be  verified  to  be  15.  Hence  the  diagnosability  of  the 
composite  system  is  at  least  j^/4  X 15  - 3 - 2_j  or  5 by  Lemma  3.2.1.  This 
agrees  with  Theorem  3.7  by  which  the  diagnosability  must  be  at  least  4.  □ 

A composition  of  two  subsystems  in  which  the  interconnection 
between  the  subsystems  consists  of  new  complete  tests  which  were  not 
originally  tests  for  either  of  the  subsystems  will  be  called  a constructive 
composition.  Such  an  interconnection  will  be  termed  a constructive  inter- 
connection. Thus,  if  * ®a,,7A,FA,GA^  and  SB  = ^B’^B^B’S^  are  the  tW° 
composing  subsystems  for  a composite  system  S ■ (3,J-,F,G)  then 

TC5A)n  W " 0 and  similarly  T<3B>nTA(V  = 0' 

Corollary  3.7.1:  Two  subsystems  and  Sg  with  closure  indices  |3A|  and 
|3g!  connected  with  a non-directional,  constructive  interconnection  yield  a 
composite  system  with  diagnosability  d,  where  d a:  max  (dA>dg). 


Proof : 


Without  loss  of  generality  it  may  be  assumed  that  d a d . Let 

A D 


{F*,F^, . . . ,Fk}  c F(dA),  but  {Fi,FJ,...,Fk}  <t  F(dg).  As  in  the  proof  of 
Theorem  3.6,  if  fF1U  F j U • • • U Fk}  H F t 0 then  f F1  f|  F } fl  fFJn  F } 0 ... 

A A 

k t 1 k 

D {F  fl  F^}  * 0 implies  G riGJn...nG  *0  because  none  of  the  tests  for 
faults  in  3a  is  invalidated  by  any  fault  in  3 . If  [F^F^  J . . . U Fk]HFA  * 0, 


y 


sz . 


f 

■ • 


*1 


•1 


1 

. ii 


\ I 


46 

then,  the  assumption  that  F f|  F fl  • • • fl  F = 0 implies  the  existence  of  some 

test  t , t 6 t(F8),  t ^ t(Fh),  where  F^F*1  £ f Fi,F'' , . . . ,Fk]  such  that 

t t T (F^  UF^U  . . • U F^)  . This  is  true  or  else  F^UF^U  . . . U F^  would  form  a 

closed  set  of  faults  with  cardinality  less  than  1 5 I contrary  to  assumption. 

S 1 

Hence  G8  H Gh  * 0.  Thus  F1  fl  Fj  D . . . D Fk  = 0 implies  G1  D Gj  n . . . H Gk  - 0 
P P 

and  the  system  must  he  d -diagnosable  with  repair.  Q.E.D. 

A 

Corollary  3.7.2:  When  two  subsystems  and  Sg  with  closure  indices  |3^J 
and  |3g|  are  interconnected  non-directionally,  the  composite  system  has  a 
diagnosability  d < max  (d  ,d  ) only  if  the  interconnection  is  non- constructive. 

A U 

Proof : 

Direct  consequence  of  Corollary  3.7.1. 

The  importance  of  these  corollaries  lies  in  the  fact  that  they 
indicate  the  desirable  ways  to  interconnect  subsystems  without  decreasing 
the  diagnosability. 

3.4.  Discussion 

t 

This  chapter  has  attempted  to  determine  the  behavior  of  system 
diagnosability  when  the  system  is  augmented.  When  the  systems  that  are 
being  combined  are  of  the  single-mask-per-test  (SMPT)  type  some  convenient 
upper  and  lower  bounds  for  the  diagnosability  of  the  composite  system  may 
be  obtained.  However,  for  the  general  cases,  the  results  are  not  as 
convenient. 

The  open-circuit  diagnosability  of  the  system  is  a good  way  to 
detemine  if  a certain  interconnection  with  another  system  can  improve  the 
diagnosability  of  the  system.  An  analogy  can  be  made  between  this  measure 
and  the  open-circuit  voltage  in  an  electrical  network. 


I 


J 


For  instance,  the  open-circuit  voltage  between  terminals  a and  b 
of  the  electrical  circuit  of  Figure  3.6  gives  an  indication  of  the 
current  that  will  pass  through  a passive  resistor  R connected  across  those 
terminals.  If  the  open-circuit  voltage  is  zero,  then  no  current  will  pass 
through  R.  However,  if  the  open-circuit  voltage  is  non-zero  then  the 
amount  of  current  that  passes  through  R is  not  immediately  known;  the 
resistance  of  R and  the  Thevenin's  equivalent  resistance  of  the  network 
itself  must  be  known,  in  addition. 

Similarly,  the  open-circuit  diagnosability  of  a computer  network 
indicates  whether  the  increase  in  diagnosability  of  a system  when  another 
subsystem  is  connected  to  it  is  zero  or  non-zero.  As  in  the  case  of 
electrical  networks,  the  actual  increase  in  the  diagnosability  depends  not 
only  on  the  j-open-circuit  diagnosability  but  also  on  other  aspects  of  the 
original  system  and  the  interconnected  subsystem.  Further,  if  the  inter- 
connected subsystem  is  trivially  a global  mechanism  which  can  test  for  fault 
j without  invalidation,  then  the  actual  diagnosability  of  the  system  equals 
the  j-open-circuit  diagnosability. 

An  added  complication  in  the  determination  of  the  diagnosability 
of  composite  systems  is  the  directionality  of  interconnections.  A few 
results  have  been  obtained  for  both  directionally  and  non-directionally 
interconnected  subsystems.  It  may  be  interesting  to  study  systems  in 
which,  if  a test  for  fault  f^  is  invalidated  by  fault  f^,  then  some  test 
for  fj  must  also  be  invalidated  by  f^.  The  complete  duality  of  the  direc- 
tionality of  interconnections  in  such  cases  may  make  them  more  amenable  to 
analysis . 


FP-6245 


Figure  3.6  Significance  of  Open-Circuit  Measures 


49 


Two  benefits  may  be  cited  for  studies  of  composite  system  diagnos- 
ability  as  in  this  chapter.  First,  they  aid  in  determining  desirable  and 
undesirable  interconnections  (from  the  diagnosability  point  of  view)  to 
augment  existing  systems.  Thus  it  is  quite  possible  that  the  diagnosability 
of  a system  actually  deteriorates  when  more  nodes  are  connected  to  the 
system,  if  sufficient  care  is  not  taken  with  the  diagnostic  procedures. 
Second,  once  the  interconnections  have  been  made  in  the  appropriate  manner, 
the  system  still  may  be  viewed  as  a composition  of  subsystems  from  the  point 
of  view  of  diagnosis.  This  could  facilitate  testing  because  by  considering 
smaller  networks  at  a time  the  diagnostic  routines,  which  are  at  best  NP- 
complete  in  computational  complexity,  will  be  able  to  operate  efficiently 
and  economically.  Since  the  global  mechanism  to  analyze  test  syndromes, 
whether  implemented  in  hardware  or  in  software,  is  assumed  to  be  error-free, 
the  reduced  complexity  implied  by  smaller  subsystems  could  be  of  advantage. 


4.  SELF-DIAGNOSIS  STRATEGIES  FOR  HIGH  PERFORMANCE 
DISTRIBUTED  SYSTEMS 


4.1.  Introduction 

Chapter  1 gave  an  overview  of  the  techniques  that  have  been  used 
in  the  past  in  system  diagnosis.  Most  of  these  were  used  to  analyze  the 
diagnosability  of  systems  whose  diagnostic  graphs  were  known.  Very  often, 
such  research  addresses  the  problem  of  optimal  designs  rather  than  designs 
for  systems  that  are  easily  implementable  and  easily  diagnosable,  and 
consequently  the  problem  tends  to  become  formidable  even  for  the  simplest 
of  configurations. 

Simplicity  of  design,  rather  than  optimality,  is  gaining  in 
importance  as  component  costs  continue  to  decrease.  The  time  saved  by  using 
a near-minimal  realization  instead  of  trying  to  obtain  a minimal  realization 
frequently  offsets  the  cost  of  extra  components. 

Another  observation  is  the  implicit  assumption  of  some  global 
mechanism,  call  it  a global  supervisor,  which  is  capable  of  collecting  data 
and  of  sending  commands  to  the  various  subsystems.  Thus  in  the  connection 
assignment  problem  [1],  this  global  supervisor  can  collect  the  results  of 
the  tests  performed  by  the  various  units  and  then  decide  in  a "one-step"  or 
"sequential"  manner  which  units  are  faulty.  In  the  Hayes  approach  [10, 21 ] , 
the  supervisor  can  test  the  units  and  can  reconfigure  the  units  appropriately 
in  the  event  of  a fault.  In  the  test-point  and  blocking  gate  approach 
[13,14],  the  global  mechanism  has  control  over  the  stimuli  that  have  to  be 
propagated  through  the  system  and  can  observe  the  response  of  the  system  to 


these  stimuli. 


In  all  of  the  above  instances  and  in  the  techniques  of  the 


previous  chapters  of  this  thesis,  the  global  supervisor  assumes  the  major 
role  of  ensuring  proper  functioning  of  the  system  while  remaining  fault- 
free  itself.  Such  an  assumption,  while  not  unreasonable  for  ground-based 
systems,  certainly  proves  to  be  a drawback  in  space-  and  air-borne  systems. 

As  the  functions  it  is  required  to  perform  increase  in  complexity,  the 
reliability  of  the  global  supervisor  itself  assumes  greater  importance. 

The  need  is  hence  felt  for  a diagnosis  strategy  wherein  the 
global  hard-core  requirements  in  the  system  are  minimized,  if  not  eliminated, 
so  that  the  system  is  capable  of  testing,  diagnosing  and  reconfiguring 
itself  with  little  or  no  external  help.  The  rest  of  this  thesis  presents  a 
few  ideas  in  this  direction. 

4.2.  System  Model 

The  system  being  considered  will  be  assumed  to  be  composed  of 
many  smaller  subsystems  (or  units  or  modules)  interconnected  physically  to 
form  a network.  Each  subsystem  may  be  a complex  processing  facility  with 
its  own  memory  like  a microcomputer  or  even  a large  computer  (as  in  a 
distributed  nationwide  network)  or  else  it  may  be  a small  digital  device 
which  is  incapable  of  standing  alone,  like  an  I/O  device  which  is  not 
intelligent.  The  only  assumption  being  made  about  the  subsystem  is  that 
by  using  only  its  input  and  output  ports,  each  subsystem  can  be  tested 
completely  for  faults  in  a reasonable  fault  model.  This  is  a major  assump- 
tion, particularly  because  satisfactory  solutions  to  the  test  generation 
problem  in  microcomputers  and  other  large-scale  integrated  circuits  have 
yet  to  appear  in  the  literature. 


52 


It  is  convenient  to  separate  the  model  which  represents  the 
communication  capability  between  units  in  the  network  from  the  model  which 
indicates  the  testing  capabilities  of  the  various  units.  In  order  to 
retain  consistency  with  the  earlier  chapters,  the  graph  for  the  testing 
model  will  be  identical  to  the  diagnostic  graph  of  Russell  and  Kime  [4]. 

A communications  graph  could  also  be  defined  for  the  system  where  each  node 
corresponds  to  a subsystem  or  unit  and  an  edge  from  node  v^  to  node  v^ 
indicates  that  messages/data  can  be  sent  from  the  facility  in  the  system 
corresponding  to  v^  to  that  corresponding  to  Vj . Further,  if  a one-to-one 
correspondence  exists  from  the  set  of  faults  in  the  diagnostic  graph  to  the 
set  of  units  in  the  communications  graph,  the  terms  fault  and  faulty  unit 
may  be  used  interchangeably. 

While  the  communications  graph  could  conceivably  be  a directed 
graph  it  will  often  be  an  undirected  graph.  This  simply  means  that  if 
communication  is  possible  between  two  nodes  in  a system,  it  is  generally 
possible  in  both  directions.  Further,  in  such  cases,  the  diagnostic  graph 
would  form  a subset  of  the  communications  graph,  because  a faulty  node  f^ 
is  unlikely  to  affect  the  results  of  a test  for  a faulty  node  f^  if  the  two 
nodes  are  not  physically  connected.  It  must  be  cautioned,  however,  that  a 
directed  edge  from  f^  to  f^  in  the  diagnostic  graph  need  not  always  imply  a 
directed  edge  from  the  node  corresponding  to  f^  to  that  corresponding  to  f^ 
in  the  communications  graph.  For  instance,  when  one  unit  corresponding  to 
f ^ simply  receives  the  results  of  a test  from  another  corresponding  to  f^, 
the  communications  graph  need  have  only  a link  from  the  latter  node  to  the 
former,  while  the  diagnostic  graph  will  possess  a directed  arc  from  f^  to  f^. 


mm 


53 


0 

u 

0 

0 

0 

i/! 

[] 

0 


4.3.  A Strategy  for  Diagnosis 

This  thesis  aims  at  the  design  of  systems  capable  of  continuous 
self-diagnosis  by  using  the  principle  of  "roving  diagnosis."  In  essence, 
roving  diagnosis  requires  one  part  of  the  system  to  be  diagnosing  another, 
while  the  remainder  of  the  system  continues  normal  operation.  The  part  of 
the  system  most  recently  diagnosed  as  fault-free  now  takes  its  turn  to 
diagnose  another  part.  Thus  there  is  a subsystem  involving  the  diagnosing 
and  diagnosed  units  which  apparently  roves  through  the  system  until  no  part 
of  the  system  remains  undiagnosed.  This  is  in  contrast  to  non-roving 
schemes,  where  either 

(i)  the  system  is  diagnosed  as  a whole,  by  an  external  tester,  or 

(ii)  the  system  is  divided  into  modules  which  may  be  independently 
tested,  but  still  employs  an  external  tester  (the  "roving 
doctor"  scheme),  or 

(iii)  the  system  is  divided  into  identical  modules  performing  identical 
tasks,  with  a vote  on  their  results  determining  their  validity, 
or 

(iv)  the  system  is  divided  into  two  halves,  each  diagnosing  the  other. 

The  problem  with  (i)  and  (ii)  above  is  that  the  reliability  of 
the  external  tester  (or  "the  doctor")  is  never  questioned.  In  (iii),  the 
system  is  never  utilized  anywhere  close  to  its  potential,  although  its 
reliability  can  be  made  quite  high  for  an  arbitrary  but  limited  time.  (iv) 
suffers  from  the  disadvantage  of  having  to  shut  down  a major  portion  of  the 
system  during  diagnosis,  without  even  ensuring  reliable  results. 

The  roving  diagnosis  approach  is  an  attempt  to  solve  one  of  the 
problems  of  Section  4.1,  namely  that  of  eliminating  the  global  supervisor 


I 


r 


LJ 


U 


n 


u 


r i 


54 

in  systems.  It  also  helps  to  keep  from  shutting  the  entire  system  down  for 
diagnosis  and  involves  as  little  a portion  of  the  system  as  possible  for 
diagnosis.  The  extent  to  which  the  approach  is  capable  of  doing  away  with 
the  global  supervisor  depends  a great  deal  on  the  assumed  fault  model  for 
the  system.  Thus  there  exist  faults  whose  identification  is  beyond  the 
capability  of  even  a global  arbiter. 

There  are  a number  of  ways  in  which  system  testing  may  actually 
be  performed  for  roving  diagnosis: 

a)  Testing  is  performed  throughout  the  system  at  preset  intervals  of 
time.  Once  testing  begins,  all  units  in  the  system  are  tested 
with  as  little  a time-gap  between  tests  in  successive  areas  as 
possible.  To  maintain  high  system  utilization,  areas  not  involved 
in  diagnosis  continue  computation  (or  processing). 

b)  The  intervals  of  time  at  which  a particular  unit  is  tested  remain 
constant  and  the  same  as  in  (a) . However,  the  testing  of  successive 
areas  need  not  be  immediate. 

The  major  difference  between  the  two  approaches  is  that  in  (a) 
there  are  fewer,  but  longer,  intervals  of  time  when  the  entire  system  is 
involved  in  computation  only.  In  (b)  the  periods  of  "computation  only"  are 
almost  equally  interspersed  with  the  periods  when  some  area  is  involved  in 
diagnosis.  Figure  4.1  attempts  to  illustrate  this. 

The  actual  time  taken  for  testing  any  unit  will  depend  on 

(i)  length  of  test  routine  (which  also  depends  on  the  complexity  of 
the  unit  and  the  fault  model), 

(ii)  the  number  of  units  involved  in  diagnosis,  and 

(iii)  the  speed  of  the  diagnosing  and  diagnosed  units. 


I 

j 


I 


M 


n 


0 

a 

Q 


[] 


56 

The  time  between  tests  for  any  unit  will  depend  on 
(i)  the  mean  time  between  failures  for  that  unit,  and 
(ii)  whether  or  not  the  unit  is  self-checking.  (If  the  unit  is  self- 
checking, then  another  unit  could  be  continuously  monitoring  the 
output  of  its  checker.  Thus  failures  during  operation  could  be 
caught  fairly  easily.  However,  since  the  exercising  of  all 
possible  code  inputs  during  regular  operation  is  unlikely,  a 
routine  testing  of  the  unit  is  necessitated,  though  possibly  at 
reduced  intervals  of  time.) 


4.4.  System  Reconfiguration 

In  any  self -diagnosing  strategy,  roving  diagnosis  being  no  excep- 
tion, the  occurrence  and  the  identification  of  a fault  must  be  accompanied 
by  the  broadcasting  of  this  fact  to  the  concerned  units  in  the  area  of  the 
fault,  if  not  to  the  entire  system.  The  region  of  dissemination  of  fault 
information  is  governed  by  the  usefulness  of  the  information  to  the  system 
modules  for  purposes  like  reconfiguration. 

Reconfiguration  involves  the  logical  disconnection  of  the  faulty 
components  before  the  system  effects  a recovery  by  restoring  the  integrity 
of  the  data  and  control  to  continue  execution.  If  sufficient  redundancy 
has  been  incorporated  in  the  system,  the  performance  of  the  system  can 
continue  at  the  same  level  as  before  without  degradation  in  the  average 
computing  power.  (The  cost,  of  course,  is  reduced  tolerance  to  further 
faults.)  The  discussion  of  the  future  chapters  will  deal  more  with  whether 
computing  is  at  all  possible  after  reconfiguration  and  the  tolerance  to 
faults  of  the  reconfigured  system,  rather  than  the  degree  of  degradation  of 
performance. 


The  reconfigurability  of  systems  has  been  defined  by  different 


authors  in  different  ways.  For  example,  in  the  Hayes  model  [10],  the  system 
lends  itself  to  reconfiguration  on  the  occurrence  of  a fault  only  if  the 
remaining  system  after  removal  of  faulty  units  contains  a subgraph  isomorphic 
to  the  algorithm  facility  graph.  For  further  discussion  in  this  thesis,  the 
following  definitions  are  proposed: 

A system  will  be  deemed  reconfigurable  if  all  the  neighbors  can  be 
reliably  informed  about  the  fault.  (A  neighbor  of  a unit  is  one  which  has  a 
physical  link  to  that  unit.)  Thus,  on  the  occurrence  of  a fault,  a system 
which  is  reconfigurable  from  that  fault  can  sever  all  links  to  the  faulty 
unit  and  attempt  to  continue  functioning  without  that  unit.  This  is 
important  because  the  retention  of  faulty  units  in  the  system  may  result  in 
misleading  information,  generated  by  the  faulty  unit,  to  be  floating  around 
the  system. 

A system  will  be  termed  reusab le  after  a fault  if  the  system  is 
reconfigurable  from  the  fault,  and  the  communications  graph  of  the  reconfigured 
system  has  the  minimum  number  of  nodes  and  minimum  links  between  the  nodes 
necessary  for  the  useful  functioning  of  the  system. 

An  example  to  illustrate  these  points  is  shown  in  Figure  4.2,  which 
shows  the  communication  graph  for  a system  consisting  of  two  types  of  units. 
Proper  functioning  of  the  system  requires  a connected  communications  graph 
consisting  of  at  least  two  units  of  type  1 and  one  of  type  2. 

There  exist  at  least  two  distinct  paths  between  any  pair  of  nodes 
in  the  graph.  This  ensures  that  any  unit  which  finds  its  neighbor  faulty  can 
inform  all  the  other  neighbors  of  the  faulty  unit  about  the  presence  of  the 
fault.  This  is  no  longer  true  if  two  or  more  faults  can  occur  simultaneously 


59 


in  the  system.  Thus  the  system  of  Figure  4.2  is  reconfigurable  from  at  most 
one  fault.  In  fact,  the  system  remains  connected  after  the  occurrence  of 
any  single  fault,  with  at  least  three  nodes  of  type  1 and  two  of  type  2. 
Hence  the  system  is  also  reusable  after  a single  fault.  (By  adding  more 
links  to  the  system,  as  shown  in  Figure  4.3,  the  system  can  be  made  recon- 
figurable and  reusable  after  two  faults.) 

An  example  of  a system  which  is  reconfigurable  from  three  faults 
but  not  reusable  is  shown  in  Figure  4.4.  If  any  three  units  of  a single 
type  fail,  the  remaining  system,  though  connected,  will  have  fewer  units  of 
that  type  than  required  in  a basic  system. 

4.5.  Fault  Assumptions 

In  order  to  eliminate  any  confusion,  a fault  will  be  considered  to 
be  synonymous  with  a faulty  unit.  This  is  not  only  convenient,  but  also  is 
in  keeping  with  the  primary  concern  of  locating  faults  down  to  a single  unit 
or  a single  node  in  the  communications  graph.  Thus,  a single  fault  refers 
to  a single  faulty  node.  It  may  well  be  that  a fault  in  this  node  involves 
many  physically  distinct  faults,  possibly  of  the  stuck-type. 

It  will  be  assumed  also  that  faults  are  restricted  to  the  nodes  in 
the  communications  graph.  This  assumption  is  justified  for  the  following 
reasons : 

(i)  The  complexity  of  the  units  being  tested,  generally  of  the  micro' 
processor  type,  is  much  larger  than  that  of  the  interconnections 
between  the  units,  thereby  making  the  former  far  more  prone  to 
faults . 

(ii)  Most  communication  between  units,  especially  in  large  computer 
networks,  is  of  the  asynchronous,  handshaking  type.  Hence 


FP-6247 


Figure  4.3  A 2-Fault  Reconfigurable,  Reusable  System 
(Basic  System:  2 of  type  1;  1 of  type  2) 


O yype  1 

0 Type  2 

FP-6248 


Figure  4.4  A 3-Fault  Reconfigurable,  Non-Reusable  System 
(Basic  System:  2 of  type  1;  1 of  type  2) 


obvious  link  faults  can  be  detected  during  regular  operation. 

(The  receipt  of  an  unintelligible  message  or  a non-code  input  is 
an  examp le . ) 

(iii)  Parity  bits  or  other  error-detecting  mechanisms  may  be  used  to 

further  improve  the  reliability  of  links  by  making  them  diagnosable. 

(iv)  Very  often,  the  faults  on  links  dominate  some  faults  on  nodes, 
so  that  the  testing  of  links  in  these  cases  is  accomplished 
automatically  during  the  testing  of  nodes. 

(v)  Schemes,  like  those  used  at  present  in  computer  networks,  e.g. , 
ARPANET  [22],  may  be  used  to  verify  the  liveness  of  links.  At 
periodic  intervals  of  time,  messages  are  sent  to  and  fro  on 
every  link,  between  units  on  the  ends  of  the  link.  These  mes- 
sages will  be  essentially  of  the  type,  "Hello,  I am  fine;  how 
are  you?"  and  attempt  to  cover  the  possibility  of  links  remaining 
unused  for  long  periods  of  time.  While  such  a scheme  is  not 
necessary  to  determine  whether  the  link  is  up  (the  next  handshake 
will  definitely  verify  that) , it  helps  in  the  early  detection  of 
failures  and  reduces  the  delay  in  informing  the  system  about  the 
fault. 

Even  if  it  is  deemed  necessary  to  incorporate  the  possibility  of 
link  failures  into  the  system  model,  the  links  may  be  viewed  as  separate 
"facilities"  and  the  system  communications  graph  can  incorporate  nodes 
corresponding  to  the  links.  This  was  the  technique  used  by  Hayes  [10]  in 
his  facility  graph  approach.  Figure  4.5  shows  a sample  conversion  to  incor- 
porate the  possibility  of  link  failures. 


Figure  4.5(a)  shows  the  communications  graph  for  the  system  with 
the  links  labelled  for  identification.  In  Figure  4.5(c)  the  additional  nodes 
5,  6,  7 and  8 correspond  to  faults  in  the  links  1-2,  2-3,  3-1,  and  4-1 
respectively.  Since  test  t^  in  Figure  4.5(b)  is  essentially  a test  adminis- 
tered by  node  2 on  node  1,  it  requires  that  link  1 - 2 be  up.  Hence  failure 
of  link  1-2  can  invalidate  test  t^,  a fact  reflected  in  the  modified 
diagnostic  graph  by  an  arc  directed  from  new  node  5 to  node  1,  labelled  test 


In  most  of  the  discussion  to  follow,  however,  faults  will  refer  to 
node  faults,  with  link  faults  not  explicitly  considered  in  the  system 
diagnostic  graph.  They  will  be  taken  into  account  implicitly  by  points  (i) 
through  (v)  described  above.  This  allows  one  to  proceed  and  obtain  system 
graphs  which  contain  the  required  number  of  nodes  and  for  which  certain  links 
are  required  from  testing,  reconfiguration  and  reusability  conditions.  The 
remaining  interconnections  between  the  nodes  may  be  added  according  to 


architectural  and  performance  requirements. 


4.6.  Fault  Models 


In  determining  what  fault  models  are  to  be  used  in  a study  of  this 
nature  two  basic  approaches  come  to  mind.  On  the  one  hand,  one  could  take 
a probabilistic  approach,  assuming  that  failure  probability  for  any  given 
unit  follows  a certain  pattern  with  time  and  that  a system  fails  when  the 
basic  system  is  no  longer  contained  as  a subgraph  in  the  existing  system. 

An  approach  of  this  type  has  been  taken  by  Abraham  and  Metze  [23] . The  work 
aimed  at  determining  the  reliability  and  the  performance  of  known  system 
configurations  and  a comparison  of  measurable  parameters  for  the  roving 
diagnosis  approach  with  those  for  classical  redundancy  approaches  Their 


results  indicate  that  a 3 - 3 bipartite  connection  of  six  nodes  is  almost  as 
reliable,  though  far  superior  in  utilization,  as  a hybrid  redundant  scheme 
involving  triplication  and  three  spares.  (The  basic  system  required  two 
nodes  of  identical  type  in  their  example.) 

On  the  other  hand,  a more  deterministic  approach  could  be  taken, 
where  the  basic  assumption  would  be  that  no  more  than  d faults  in  the  system 
could  occur  before  the  existence  of  faults  in  the  system  is  detected.  This 
detection  may  be  a result  of  periodic  testing  of  the  system  or  of  irregular 
operation  of  some  unit  in  the  system.  In  practice,  it  may  be  better  to 
determine  the  frequency  of  testing  based  on  a chosen  value  of  d and  the 
mean  time  between  failures  of  units  in  the  system. 

The  deterministic  approach  is  the  one  that  will  be  taken  in  the 
next  chapter.  While  the  deterministic  approach  leaves  no  margin  of  uncer- 
tainty in  system  designs  for  a given  fault  model,  it  tends  to  yield  designs 
which  are  tolerant  with  a high  probability  to  more  than  the  designed  number 


of  faults. 


5.  ROVING  DIAGNOSIS 


5.1.  Introduction 

The  previous  chapter  introduced  the  concept  of  roving  diagnosis  as 
a practical  and  viable  means  of  performing  diagnosis  in  large  distributed 
digital  systems.  Any  diagnosis  strategy  implies  some  basic  conditions  that 
must  be  met  by  a system  employing  that  strategy.  Thus,  where  testing  is 
concerned,  there  are  certain  configurations  of  the  diagnostic  graph  that 
lend  themselves  to  convenient  roving  diagnosis.  Similarly,  reconfiguration 
and  reusability  are  governed  by  the  organization  of  the  communications  graph 
of  the  system. 

The  object  of  this  chapter  will  be  to  determine  first  how  a 
diagnostic  graph  must  look  in  order  that  roving  diagnosis  be  possible,  and 
second  whether  systematic  algorithms  exist  for  analyzing  systems  with  known 
diagnostic  graphs.  The  following  chapter  will  examine  more  closely  the 
problem  of  reconfiguration  and  discuss  the  practical  questions  posed  by  the 
diagnosis  strategy. 

5.2.  Roving  Graphs 

Figure  5.1  shows  the  diagnostic  graph  for  a system  which  has  been 
modified  to  include  only  a subset  of  the  tests,  retaining  all  the  invalidating 
faults  for  those  tests  selected.  It  may  be  recalled  that,  merely  for  conve- 
nience, a fault  will  be  considered  synonymous  with  a faulty  unit  or  a faulty 
node. 

Two  features  may  be  noted  about  this  graph: 

(i)  The  faults  f^  and  f^  are  shown  without  any  tests.  (These  tests 
may  have  existed  in  the  unmodified  diagnostic  graph,  however.) 


67 


LJ 


n 


0 


) i 

Li 


0 


(ii)  If  the  faults  f^  and  f^  can  somehow  be  shown  to  be  absent  from 

the  system,  then  there  exists  a systematic  sequence  of  tests  which 
may  be  used  to  "rove"  through  the  system.  For  the  graph  shown  one 
such  sequence  could  be  { t2  , t3>  t5>  tg,  t?,  tg, t9>  t1Q,  t^ , t12 , t13, 


C14^‘  ^ employing  this  sequence  of  tests,  one  can  always  make 


sure  that  a test  currently  being  administered  cannot  be  invali- 
dated, under  the  assumption  that  no  faults  occur  during  the  entire 


test  period.  Of  course,  when  some  test  t^  fails  the  fault  f^ 


such  that  t^St(f^)  must  have  occurred,  and  the  appropriate  soft- 
ware routines  now  can  take  over  to  inform  the  concerned  nodes 
about  the  fault  f^. 

A distinguished  node,  like  f^  or  f^  in  Figure  5.1,  which  has  no 
incoming  arc  to  it  will  be  referred  to  as  an  initial  node.  A properly 
ordered  test  sequence  is  defined  as  one  in  which,  for  every  pair  of  tests 
(tf.tj)  in  the  sequence  such  that  t^€t(f^)  and  t^  £T(f^),  t^  precedes  t^ 
in  the  sequence.  A graph  which  possesses  some  initial  nodes  and  in  which  a 
properly  ordered  test  sequence  can  be  found  which  covers  all  the  tests  in 
the  graph  will  be  termed  a roving  graph.  A k-roving  graph  will  be  defined 
as  a roving  graph  with  k initial  nodes.  The  example  of  Figure  5.1  is  a 
2 -roving  graph. 

A roving  graph  is  a form  of  diagnostic  graph  because  the  directed 
edges  represent  tests  and  a relationship  exists  between  the  fault  detected 
by  a test  and  faults  invalidating  that  test.  Thus,  while  every  diagnostic 
graph  need  not  be  a roving  graph,  a subgraph  of  the  diagnostic  graph  can 
always  be  found  which  is  a roving  graph.  In  order  for  the  roving  graph  to 


it 


68 


VJ 


U 


I 

0 


— . j — 


be  meaningful,  all  the  faults  that  invalidate  a test  in  the  diagnostic  graph 

must  invalidate  that  test,  if  it  appears,  in  the  roving  graph. 

A roving  subsystem  S * (3,JL,F,G0)  of  a system  S = (3,J~,F,G)  is  a 

K K K 


subsystem  of  S such  that  J c J",  the  diagnostic  graph  for  S is  a roving 

K R 


graph,  and  if  t.  then  t.  6T„(f .)  for  every  fault  f . such  that  t,  €T(f .). 

IK  1 K J J 1 j 

A minimal  roving  subsystem  of  S is  a roving  subsystem  of  S which  has  the 
least  number  of  initial  nodes. 

Example  5. 1 

Figure  5.2(b)  and  (c)  show  two  roving  graphs  for  a system  whose 
diagnostic  graph  is  shown  in  Figure  5.2(a).  The  two  roving  graphs  are  3- 
roving  and  1-roving  respectively.  It  may  be  verified  by  inspection  that 
the  graph  in  Figure  5.2(c)  is  the  diagnostic  graph  of  a minimal  roving 
subsystem  of  the  original  system.  □ 

Consider  the  roving  graph  as  a simple  directed  graph.  Define  the 
relation  R between  two  nodes  f^  and  f ^ in  the  graph  such  that  f^  R f if 
and  only  if  there  exists  a directed  path  in  the  graph  from  node  f^  to  node 


V 


Theorem  5 . 1 


A diagnostic  graph  is  a roving  graph  if  and  only  if  the  binary 
relation  R on  its  set  of  nodes  defines  a partial  ordering. 

Proof: 

Assume  that  the  diagnostic  graph  is  a roving  graph.  It  is  easy  to 
observe  that  for  every  node  f^  in  the  graph,  f^  R f^,  and  for  nodes  f^,  f^ 
and  f^,  if  f^  R f ^ and  f^  R f^,  then  f^  R f^.  Hence  R is  reflexive  and 


transitive.  Assume  the  existence  of  nodes  f , , f.  such  that  f.  R f.  and 

i J 1 J 


fj  R f^  By  the  definition  of  a roving  graph,  ^ R f ^ implies  that  all  tests 


! 


J 


_i.  ...  'Sttk I MMMHHi' 


FP-625J. 


(a)  Diagnostic  Graph  of  System  S 


(b)  3-Roving  Graph  for  S 


(c)  1-Roving  Graph  for  S 


Figure  5.2  Roving  Graphs  for  a Sample  System 


70 


belonging  to  t(f^)  must  precede  some  test  t^  belonging  to  t(f^).  ft 
implies  that  all  tests  belonging  to  t (f ^ ) must  precede  some  test  t ^ belonging 
to  t(f^).  But  both  t^  and  t^  cannot  precede  each  other.  Hence  if  ft 
then  fj  ft  cannot  be  true.  Thus  ft  is  antisymmetric  besides  being  reflexive 
and  transitive  and  hence  a partial  ordering. 

Conversely  if  ft  is  a partial  ordering,  then  there  must  be  a 

"smallest"  node  f such  that  there  is  no  node  f satisfying  f ft  f . It  is 

hence  possible  to  obtain  a sequence  of  nodes  Y where  the  iC^  element  in  the 
sequence  is  the  "smallest"  node  after  eliminating  the  first  i - 1 nodes  from 
the  diagnostic  graph.  From  the  sequence  Y one  can  get  a sequence  of  sets  of 
tests  where  the  i^  set  is  the  set  of  complete  tests  for  the  ith  element  in 

Y.  By  the  construction  procedure,  if  t^StCf^)  and  tj€T(f^),  then  f^  must 

be  "smaller"  than  f^  and  hence  t^  precedes  t^  in  the  sequence.  Thus  the 
sequence  of  tests  obtained  as  described  must  be  a properly  ordered  test 


sequence,  implying  that  the  diagnostic  graph  is  a roving  graph. 


Q.E.D. 


The  proof  of  the  above  theorem  affords  a means  of  determining  an 
appropriate  sequence  of  tests  given  a roving  graph.  It  must  be  noted  that 
nothing  has  been  mentioned  so  far  about  the  tests  for  the  initial  nodes 
themselves.  It  has  been  implicitly  assumed  that  they  are  fault-free. 
Discussion  on  this  aspect  will  be  delayed  until  the  end  of  the  chapter. 
Example  5.2 

Consider  the  roving  graph  of  Figure  5.3.  The  "smallest"  node 
initially  is  f^.  After  removing  f^  from  the  system  there  are  three  candi- 
dates for  the  next  "smallest"  node,  namely,  f^j  f ^ and  f^.  Any  one  of  them 
is  chosen  arbitrarily.  Continuing  in  this  manner,  a sequence  of  nodes  Y can 
be  obtained  as  ‘ A ProPerl-y  ordered  sequence 


of  tests  can  thereafter  be  obtained  as  (t^, t^, , t^, C^, t5> tg, t^, t , t^) . 


□ 


5.3.  Minimization  of  Test  Time 

The  time  required  to  complete  the  tests  may  often  be  important. 

By  minimizing  the  system  test  time,  the  time  available  for  computation  is 
increased,  while  minimizing  the  possibility  of  failures  occurring  during 
testing. 

Every  test  for  a fault  in  the  system  roving  graph  may  be  associated 
with  a certain  finite  time  which  represents  the  time  required  for  that  test 
to  be  carried  out.  Various  factors  enter  the  picture  when  the  total  system 
testing  time  is  to  be  computed.  It  may  be  possible  to  carry  out  two  tests 
simultaneously  in  spite  of  the  fact  that  both  these  tests  are  invalidated  by 
the  same  fault.  Further,  all  the  tests  for  a given  fault  need  not  be 
performed  in  order  to  ensure  the  absence  of  faults  in  the  system;  any  one 
complete  test  will  suffice.  Also,  if  two  faults  invalidate  some  test,  it 
may  be  either  because  both  the  testing  units  cooperate  during  the  entire 
test  or  because  one  of  the  testing  units  carries  out  one  part  of  the  test 
and  the  other  the  remaining  part.  In  view  of  these  considerations,  it  is 
not  possible  to  give  general  algorithms  which  minimize  the  total  test  time 
for  the  system.  A knowledge  of  the  system  characteristics  may  aid  in 
generating  a minimal  test-time  algorithm  for  the  system,  however. 

As  an  example  consider  a STPF  system  as  shown  in  Figure  5.4.  It 
is  assumed  that  all  units  which  test  a given  unit  cooperate  in  performing 
the  test,  but  that  any  tests  which  are  invalidated  by  faults  already  tested, 
may  be  started  simultaneously. 


74 


ri 
1 1 

0 

0 


The  figures  in  parentheses  accompanying  the  test  labels  indicate 
the  time  required  for  performing  the  test.  One  could  now  take  an  approach 
similar  to  that  used  in  PERT  [24]  to  determine  the  time  for  completion  of 
testing. 

The  length  of  any  path  (i.e.,  the  sum  of  the  time  durations  of  the 
tests  on  that  path)  from  f^  to  f^  represents  a lower  bound  on  the  elapsed 
time,  measured  from  the  start  of  testing  before  fault  f^  has  been  tested  for 
and  before  tests  invalidated  by  f^  may  be  started.  It  is  convenient  to 
associate  numbers  (times)  with  vertices  as  follows: 

L(fx)  = 0 

L(f ^)  = max  (-£(P)}  for  i ^ 1 

where  4(P)  denotes  the  time- length  of  path  P and  where  the  maximum  is  taken 
over  all  paths  from  f^  to  f^. 

Testing  is  completed  when  node  f^  has  been  tested  for.  Let  L(f^) 
be  the  time  of  completion.  Define 

M<f10>  = 

M(f ^)  = L(f1Q)  - max  (X(p)}  for  i t 10 

where  4(p)  is  the  length  of  a path  from  to  f^  and  the  maximum  is  taken 
over  all  such  paths.  The  effect  of  these  operations  is  illustrated  in 
Figure  5.5,  where  for  every  node,  the  pair  (L(f ^) ,M(f i) ) is  shown. 

The  critical  path  for  the  graph  is  (f^,f^,fg,fg,f^g).  The  non- 
critical  nodes  represent  those  faults  for  which  there  is  a latitude  for 
scheduling  their  tests,  the  amount  of  latitude  or  s lack  being  given  by  the 
difference  M(f^)  - L(f^)  for  the  node. 


i 


• . 


76 

The  assumption  made  above  regarding  the  possibility  of  simultaneous 
execution  of  those  tests  which  have  a common  invalidating  fault,  may  often 
be  unreasonable.  Figure  5.6  shows  a feasible  schedule,  obtained  by  trial 
and  error,  which  does  not  make  this  assumption. 

The  test  sequence  used  to  obtain  this  30- time  unit  schedule  is 
{ t2 ,t3,t1,t4,t5,t6,t7,tg,t9} , with  each  test  being  performed  at  the  earliest 
possible  time. 

5.4.  Determination  of  Roving  Graph 

Once  a roving  graph  has  been  obtained,  as  shown  in  the  previous 
sections,  systematic  techniques  exist  to  determine  an  appropriate  test 
sequence  for  the  system  in  order  to  perform  roving  diagnosis.  This  section 
attempts  to  find  suitable  algorithms  for  determining  one  or  more  roving 
graphs  given  the  diagnostic  graph  of  the  system. 

Again  it  is  convenient  to  consider  the  simpler  SMPT  and  STPF  cases 
before  going  on  to  the  general  case.  Further,  the  nature  of  the  roving  graph 
will  differ  depending  on  the  number  of  faults  that  may  have  occurred  in  the 
system  before  testing  begins.  Define  a d-fault  k-roving  graph  to  be  one  in 
which  there  are  k initial  nodes  and  all  the  faults  in  the  system  may  be 
identified  by  an  appropriate  sequence  of  tests  as  long  as  not  more  than  d 
faults  that  could  have  occurred  in  the  system. 

It  may  be  observed  here  that  if  a system  has  a diagnostic  graph 
which  embeds  a d-fault  roving  graph,  then  the  system  must  be  d-fault  testable 
by  roving  diagnosis.  (The  initial  nodes  must  be  diagnosable  themselves,  of 
course. ) 

An  invalidating  set  of  faults  I ( f for  a fault  f^  is  defined  as  a 
set  of  faults  such  that  t(f.)  c T(I(f.)). 


Theorem  5.2 


A roving  graph  is  a d-fault  roving  graph  if  and  only  if  the 
smallest  invalidating  set  for  every  non-initial  node  has  a cardinality  of 
at  least  d in  the  roving  subgraph. 

Proof: 


Let  some  invalidating  set  of  faults  Fs  for  a fault  f^  be  such  that 
| FS|  < d.  Since  t(f^)  c T(F®)  the  fault  F® U f ^ is  undiagno sable,  even 
though  {F^Uf^}  S F(d). 

Conversely,  assume  that  every  invalidating  set  of  faults  in  the 
roving  graph  has  a cardinality  of  at  least  d.  (This  automatically  implies 
the  existence  of  at  least  d complete  tests  for  every  non-initial  node  in  the 
roving  graph.)  Construct  a sequence  of  nodes  Y for  the  graph  as  described 
in  the  proof  of  Theorem  5.1.  By  replacing  every  non- initial  node  in  the 
sequence  by  some  test  for  that  node,  and  ignoring  all  initial  nodes,  a 
properly  ordered  test  sequence  for  the  roving  graph  is  obtained.  Now 
assume  that  a fault  f^  is  detected  by  the  failure  of  some  test.  Consider  a 
test  tj  in  the  previously  obtained  test  sequence  such  that  t^ST(f^).  Let 
tj  €t(fj).  Replace  t^  in  the  sequence  by  a test  t^€t(f^)  such  that 
tk € T(fi) . Such  a test  t^  must  exist  if  the  cardinality  of  the  invalidating 
set  for  f.  is  greater  than  d.  If  the  cardinality  equals  d then  test  t does 
not  exist  only  if  all  the  faults  in  the  invalidating  set  for  f^  have  occurred, 
in  which  case  f^  could  not  have  occurred  (there  being  no  more  than  d faults 


in  the  system)  and  need  not  be  tested  for.  Thus  a valid  properly  ordered 
test  sequence  may  always  be  obtained  for  the  system  to  perform  roving 
diagnosis  as  long  as  there  are  no  more  than  d faults.  Q.E.D. 


r 


“TE 


[] 


i 

Li 


79 

5.5.  Roving  Graphs  for  SMPT  Systems 

Diagnostic  graphs  of  SMPT  systems  are  characterized  by  a unique 
test  label  for  every  arc  in  the  graph.  This  fact  simplifies  the  procedure 
for  finding  roving  graphs  for  such  systems. 

For  a system  having  |3|  = m fault  nodes,  the  adjacency  matrix.  A, 
is  defined  as  the  mXm  matrix  such  that  an  element  a_  satisfies 


‘ij 


i,  if  T(f.)  nt(f.)  * 0 

0,  otherwise. 


Thus  a. . = 1 implies  that  there  is  an  arc  directed  from  node  f.  to  node  f. 
ij  r J 

in  the  diagnostic  graph  for  the  system.  By  multiplying  the  adjacency  matrix 

th 

by  itself  m times,  an  mXm  matrix  is  obtained  in  which  the  j element  of 
the  i row  is  a 1 if  and  only  if  there  exists  a directed  path  in  the 
diagnostic  graph  from  node  f^  to  node  f . Call  this  matrix  the  connectivity 
matrix,  C. 

Theorem  5 . 3 

There  exists  a 1-roving  graph  for  every  SMPT  system  whose  con- 


nectivity matrix  has  at  least  one  row  i with  fl  c 

J>*1 

Proof: 


ij 


1. 


if  n c. 


J*i 


ij 


1 then  c 


ij 


1 for  every  element  in  the  row  i except 


the  (i,i)  element.  By  the  construction  of  the  connectivity  matrix,  it  is 

clear  that  there  must  be  a directed  path  from  node  i to  every  other  node  in 

the  diagnostic  graph  for  the  network.  Let  f be  an  arbitrary  node  in  the 

network.  If  the  path  from  f.  to  f passes  through  p other  nodes  in  the  order 

* 8 

f,  - f,  - f«  - . . . - f . - f - f then  by  the  SMPT  nature  of  the  graph, 
i 1 2 p-lpg  3 r > 

any  test  sequence  which  includes  tests  tCf^fjTCf^).  •••» 

t(f  ) f~l T (f  , ) , t(f  ) nKf  ) in  that  order  will  be  properly  ordered  with 
P P* " 8 P 


80 


respect  to  these  nodes.  By  treating  f ^ as  an  initial  node  and  trivial 
extension  of  the  above  argument  to  the  other  nodes  in  the  graph,  the 
theorem  is  proved.  Q.E.D. 

The  following  algorithm  indicates  a systematic  method  for  obtaining 
a roving  graph  for  any  SMPT  system. 

Algorithm  5 ■ 1 

Step  1:  Determine  the  connectivity  matrix,  C,  for  the  SMPT  system. 

Step  2:  For  each  row  i in  the  matrix,  determine  the  sum  £ c . Call  it  s . . 

j J 1 

Step  3:  Find  the  row  p,  such  that  s = max  (s^).  Ties  are  broken  arbitrarily. 


Add  f to  the  set  of  initial  nodes. 
P 


th 


Step  4:  Modify  the  connectivity  matrix,  C,  eliminating  the  k row  and 

column,  where  k = p or  c ^ = 1*  (Eliminate  all  rows  and  columns 
for  which  k satisfies  the  above  property.) 

Step  5:  If  the  resulting  matrix  is  non-null,  go  back  to  Step  2.  If  not, 

mark  all  the  initial  nodes  found  in  the  previous  iterations.  Call 
the  trivial  unconnected  graph  formed  by  these  nodes  the  graph  R. 

Step  6:  For  any  marked  node  in  R,  say  f^,  determine  all  nodes  f..  such  that 
T(f fl  t(f  j ) J4  0 and  f ^ does  not  already  belong  to  R.  Add  to  R 
all  nodes  found  thus  along  with  the  arcs  from  node  £ to  these  nodes 
with  the  appropriate  test  labels. 

Step  7:  Mark  all  nodes  found  in  Step  6 and  unmark  f^.  If  there  are  no 


marked  nodes  left  in  R,  then  go  to  Step  8,  or  else  to  Step  6. 
Step  8:  The  graph  R is  a roving  graph  for  the  given  SMPT  system. 
Theorem  5.4: 

The  graph  R obtained  by  Algorithm  5.1  is  a roving  graph. 


□ 


81 


r 


Proof : 

The  proof  is  again  by  construction.  At  the  end  of  Step  5, 
define  a sequence  of  tests,  tp,  which  is  initially  null.  Modify  Step  6 
as  follows: 

Step  6:  For  any  marked  node  in  R,  say  f^,  determine  all  nodes  f^  such  that 
T(f^)  A t(fj)  t 0 and  f..  does  not  already  belong  to  R.  Append 
the  tests  in  T(f^)  ^ t(fj)  t0  c^e  enc*  ^ ^or  t*ie  relevant 

faults  f . Add  to  R all  nodes  f ^ found  thus  along  with  the  arcs 
from  f^  to  these  nodes  labelled  appropriately. 

Each  time  a test  is  appended  to  ip  in  Step  6,  it  is  clear  that  it 
can  be  invalidated  only  by  an  initial  node  or  by  some  other  node  whose 
tests  have  already  preceded  it  in  the  sequence  ip . Hence  the  sequence  ip 
is  a properly  ordered  test  sequence,  which  covers  all  the  tests  in  R.  By 
the  definition  of  a roving  graph  R must  be  a roving  graph.  Q.E.D. 

Theorem  5.5 

The  roving  graph  R obtained  by  Algorithm  5.1  has  the  smallest 
number  of  initial  nodes  for  all  possible  roving  graphs  of  the  system. 

Proof: 

Assume  that  two  of  the  initial  nodes  found  in  Step  3 of  the 

algorithm  are  fg  and  f^,  with  f being  found  before  f^.  If  f^  were 

accessible  from  f , i.e.  if  a path  exists  from  f to  f,  , then  the  row 
g K g h 

and  column  corresponding  to  f^  would  be  eliminated  in  Step  4 when  f is 

an  initial  node.  If,  on  the  other  hand,  f,  were  accessible  from  f , then 

h g 

every  node  accessible  from  f would 'also  be  accessible  from  f^  implying 

that  £ c,  . > £ c ..  Hence  f,  would  have  been  chosen  in  step  2 before  f . 
j hj  . gj  h * g 


u 


A 


82 

Thus,  it  is  proved  that  f and  f,  are  inaccessible  from  each  other. 

g h 

Similarly,  by  taking  all  the  initial  nodes  found  in  the  algorithm  pair- 
wise, and  applying  the  above  arguments  it  is  easy  to  see  that  the  set 
of  initial  nodes  in  R is  a set  in  which  there  does  not  exist  a directed 
path  between  any  two  nodes.  Hence  this  set  of  nodes  must  serve  as 
initial  nodes  for  every  roving  graph  of  the  system.  Q.E.D. 

While  the  roving  graph  obtained  in  Algorithm  5.1  has  the  least 
number  of  initial  nodes,  there  may  be  other  graphs  which  are  d-fault- 
testable  for  a larger  d.  It  may  be  observed  that  the  Algorithm  5.1  leads 
to  a forest  of  trees  having  the  initial  nodes  as  the  set  of  roots.  Hence 
the  roving  graph  thus  obtained  can  be  no  better  than  a 1-fault  k-roving 
graph,  where  k = number  of  initial  nodes.  The  example  which  follows 
illustrates  a heuristically  derived  2-fault  3-roving  graph. 

Example  5.3 

A roving  graph  of  an  SMPT  system  whose  adjacency  matrix  is 
shown  in  Table  5.1  is  shown  in  Figure  5.7(a). 

Figure  5.7(b)  illustrates  how  the  roving  graph  obtained  by  using 
Algorithm  5.1  on  an  SMPT  system  may  be  modified  in  order  to  obtain  another 
roving  graph  which  is  now  testable  for  a greater  number  of  faults.  The 
dotted  lines  indicate  those  test  arcs  which  exist  in  the  original 
diagnostic  graph  but  are  not  necessary  in  the  roving  graph.  It  is  also 
clear  that  since  there  are  some  non-initial  nodes  which  have  no  more  than 
two  tests,  there  cannot  exist  a 3-fault  3-roving  graph  for  the  system.  □ 

5.6  Roving  Graphs  for  STPF  Systems 

The  fact  that  STPF  systems  have  one  and  exactly  one  test  per 
fault  leads  to  two  immediate  important  observations: 


I 


(i)  There  must  be  at  least  one  cycle  in  the  diagnostic 

graph  of  the  system.  (The  implicit  assumption  is  that 
the  system  is  self-testing  as  defined  in  Chapter  2. 

This  assumption  is  reasonable  in  view  of  the  fact  that 
roving  diagnosis  aims  at  eliminating  fault-free  hard-core 
for  a system.) 

(ii)  The  roving  graph  for  the  system  can  be  no  better  than  a 
1-fault  roving  graph,  unless  it  is  a degenerate  n- roving 
graph  where  |3|  = n. 

Algorithm  5.2  indicates  how  a 1-fault  1-roving  graph  can  be 

determined,  if  one  exists,  in  an  STPF  system. 

Algorithm  5.2 

Step  1:  Determine  all  the  directed  cycles  in  the  diagnostic  graph  for 
the  system.  (This  may  be  done  by  using  the  variable  adjacency 
matrix  of  Danielson  [25].) 

Step  2:  Let  p be  the  number  of  cycles  in  the  system  graph,  and  let 

y^,  i = l,2,...,p  be  the  set  of  nodes  involved  in  the  itJl  cycle. 

Determine  the  intersection  y = H y 

i 

Step  3:  If  y is  empty,  then  there  does  not  exist  a 1-fault  1-roving  graph 
for  the  system.  Otherwise,  the  roving  graph  R for  the  system 
is  obtained  by  choosing  an  arbitrary  node  fg  £ y and  deleting 
from  the  diagnostic  graph  for  the  system,  all  arcs  labelled  with 
the  tests  belonging  to  t(fg)  . 

Lemma  5 . 6 

If  y is  empty  in  Step  3 of  Algorithm  5.2  then  a 1-fault  1-roving 


graph  does  not  exist  for  the  system. 


LJ 


u 


L) 


! «1 


■i 

I 

) 

it, 


86 


Proof: 

Consider  two  cycles  in  the  system  diagnostic  graph  whose  node 
sets  are  y^  and  y^  and  y^  = y^.  Consider  the  node  € y^  U y^  such  that 
fi  € y^  Hy^.  Without  loss  of  generality,  it  may  be  assumed  that  f^  £ y^. 

By  removing  node  f and  its  associated  test  links  from  the  system  the 
cycle  with  node  set  y^  is  eliminated  from  the  system  but  that  with  node 
set  y2  still  remains,  because  none  of  arcs  and  nodes  involved  in  the  latter 
are  affected  by  the  removal  of  f^.  Hence  a node  belonging  to  y^  n y ^ 
must  be  removed  in  order  to  ensure  the  elimination  of  both  cycles. 

By  extending  the  argument  for  all  cycles  in  the  system  diagnostic 
graph  the  lemma  is  proved. 

Theorem  5.6 

The  graph  R obtained  by  Algorithm  5.2  is  a roving  graph  for  the 
STPF  system. 

Proof : 

Consider  a node  belonging  to  all  the  cycles  in  the  system 
diagnostic  graph.  Every  cycle  must  have  one  incoming  edge  to  this  node. 

By  deleting  all  the  incoming  edges  to  this  node,  all  the  cycles  in  the 
system  graph  must  be  eliminated.  The  removal  of  all  such  incoming  edges 
essentially  represents  the  removal  of  all  complete  tests  for  the  chosen 
node  (in  this  case,  one) . This  implies  that  in  the  modified  graph,  this 
node  will  be  an  initial  node.  Since  every  node  in  the  rest  of  the 
system  has  a complete  test,  and  since  no  cycles  remain,  there  can  be  no 
more  initial  nodes  in  the  system  and  a properly  ordered  test  sequence 
exists  for  all  faults  in  the  system.  Thus  the  resulting  graph  is  a 
1-fault  1-roving  graph.  Q.E.D. 


The  proofs  of  the  above  lemma  and  theorem  indicate  how  one 
would  approach  the  problem  of  finding  a 1-fault  k-roving  graph  problem 
for  an  STPF  system  with  a minimal  k. 

Algorithm  5.3 

Step  1:  Determine  all  the  directed  cycles  in  the  diagnostic  graph  for 


the  system. 

Step  2:  List  only  the  nodes  involved  in  the  cycles  and  eliminate  all  cycles 
which  involve  the  same  nodes  as  some  other  cycle. 

Step  3:  (Optional)  Eliminate  all  cycles  a subset  of  whose  nodes  is 
involved  in  some  other  cycle. 

Step  4:  Construct  a p x m matrix  M where  the  p rows  correspond  to  the  p 
cycles  after  performing  steps  2 and  3 and  m = j 3 | the  number  of 
fault  nodes  in  the  system.  The  elements  of  the  matrix  are  defined 


1,  if  node  j is  contained  in  cycle  i 


0,  otherwise 


Step  5:  Determine  the  smallest  set  of  nodes,  I,  which  covers  all  the  rows 
of  the  matrix  M.  (This  is  simply  the  classical  covering  problem 
and  may  be  solved  using  the  Petrick  function  [26]  approach.) 

Step  6:  The  1-fault  roving  graph  for  the  system  is  obtained  by  making  I 
the  set  of  initial  nodes  and  eliminating  from  the  diagnostic 
graph  for  the  system,  all  arcs  corresponding  to  complete  tests 
for  these  nodes.  -J 


Example  5.4 


The  system  whose  diagnostic  graph  is  shown  in  Figure  5.8(a)  is 
an  STPF  system  having  the  following  cycles:  (i)  1-3-7-1  (ii)  3-6-8-4-3 


AD-A069  770  ILLINOIS  UNIV  AT  URBANa-CHAMPAIGN  COORDINATED  SCIENCE  LAB  F/G  9/2 

DIAGNOSIS*  SELF-DIAGNOSIS  AND  R0VIN6  DIAGNOSIS  IN  DISTRIBUTED  D— ETC(U» 
SEP  78  RK  NAIR  DAAB07-72-C-0259 


90 


T 


0 


! 

I 


; 


o 

0 

a 

o 

o 

0 

0 

0 

i) 

0 

0 

0 

0 

0 

0 

D 

y 

o 


(iii)  3-5-6-8-A-3  (iv)  1-2-4-3-7-1  (v)  5-6-8-5.  All  other  cycles  may  be 
decomposed  Into  two  or  more  of  the  above  cycles. 

By  Step  3 of  Algorithm  5.3,  the  cycle  (v)  is  contained  in  cycle 
(iii)  and  hence  the  latter  may  be  eliminated.  Cycle  (iv)  may  be  similarly 
eliminated.  The  remaining  cycles  and  their  relationship  to  the  fault  nodes 
are  depicted  in  the  M-matrix  of  Figure  5.8(b). 

The  Petrick  function  for  the  system  is 

(Iv3~7)(3v<6~8v/4)(5v6v8)  - 16^18^67^87^35^36^38^145^475 


Each  term  in  the  sum-of-products  expression  above  indicates  the  initial 
nodes  in  a possible  roving  graph  for  the  system. 

Figure  5.8(c)  shows  a sample  1-fault  2-roving  graph  for  the  system. 
Note  that  there  are  6 other  possible  2-roving  graphs  for  the  system  and 
that  there  is  no  1-roving  graph  for  the  system. 

A properly  ordered  sequence  of  tests  for  the  system  would  be 


(t2»t8»t4»t3»t5»t7^ • 


□ 


5.7  Roving  Graphs  for  General  Systems 

While  some  of  the  techniques  mentioned  in  the  previous  two 
sections  could  be  applied  with  success  in  the  general  case,  they  would  not 
always  lead  to  the  best  roving  graphs  for  the  system.  Various  criteria 
may  be  used  in  choosing  the  best  roving  graph: 

(i)  the  graph  with  the  least  number  of  Initial  nodes, 

(il)  the  graph  which  is  maximally  fault  testable 
(ill)  a reasonable  combination  of  both  (1)  and  (ii) . 

Algorithm  5.4  may  be  used  to  determine  the  roving  graph  of  a 
system  with  the  least  number  of  Initial  nodes. 


91 


Algorithm  5. A 

Step  1:  Determine  all  the  directed  cycles  in  the  diagnostic  graph  for 
the  system. 

Step  2:  List  only  the  test  edges  involved  in  the  cycles  and  eliminate  all 
cycles  which  involve  the  same  tests  as  some  other  cycle. 

Step  3:  (Optional)  Eliminate  all  cycles  a subset  of  whose  tests  are 
involved  in  some  other  cycle. 

Step  4:  Construct  a q x n matrix  N where  the  q rows  correspond  to  the  q 

cycles  after  performing  Step  3 and  n * |.'r|  the  number  of  complete 
tests  in  the  system.  The  elements  of  the  matrix  are  defined  by 


1,  if  test  j is  included  in  cycle  i 


0,  otherwise 


Step  S:  Determine  all  the  irredundant  set  of  tests,  which  cover  all 

the  rows  of  matrix  SI . (Note  that  an  irredundant  set  need  not  be 
the  smallest  set.  An  irredundant  set  of  tests  is  one  in  which 
removal  of  any  element  of  the  set  leaves  some  row  uncovered.) 

Step  6:  For  each  set  of  tests,  J^,  determine  the  largest  set  of  fault 


nodes  1^  such  that  t(I^)  c J^. 

Step  7:  If  I is  the  set  or  nodes  such  that  1 1 I 
r m 1 m' 


min  | I . | then  the 
i 

roving  graph  for  the  system  is  obtained  by  deleting  all  edges 

corresponding  to  tests  in  J (corresponding  to  I ) from  the 

tn  m 

diagnostic  graph,  and  making  I the  set  of  initial  nodes.  □ 

m 

Theorem  5.7 

The  procedure  described  in  Algorithm  5.4  leads  to  a roving  graph 
which  has  the  least  number  of  Initial  nodes. 


' 


1 0 

J 0 

| a 

:!  0 

r > 

; U 

! a 
o 
0 
0 


Proof: 


Assume  that  there  exists  a roving  graph  which  has  fewer  initial 


nodes,  1^.  The  set  of  complete  tests  for  these  nodes  must  be  one  which 

covers  all  the  q cycles  of  the  diagnostic  graph.  Further  there  must  exist 

a subset  of  this  set  of  tests  which  is  an  irredundant  set  covering  all 

the  cycles.  Let  this  set  be  But  since  Algorithm  5.4  finds  all  the 

irredundant  sets  in  Step  5,  must  also  be  found.  Consider  the  largest 

set  of  fault  nodes  I such  that  t(l  ) c J . Since  J c t(I  ),  clearly 

x x— x x— y J 

t(I  ) c t(I  ) and  hence  I c I . By  making  I a set  of  initial  nodes  and 
x y x - y x 

by  eliminating  all  tests  in  all  cycles  in  the  diagnostic  graph  are 

broken  and  hence  a roving  graph  is  obtained.  But  since  |l  | £ |l  |, 

x y 

it  contradicts  the  original  assumption  that  | 1 | < min  | I . | and  the 

7 i 


theorem  is  proved. 


Q.E.D. 


Given  that  the  roving  graph  for  a system  be  d-fault  testable, 
the  following  algorithm  determines  a roving  graph  which  has  the  least 
number  of  initial  nodes,  assuming  that  no  two  tests  for  a fault  are 
invalidated  by  the  same  fault. 

Algorithm  5.5 

Step  1:  Modify  the  diagnostic  graph  for  the  system  by  eliminating  those 
edges  corresponding  to  t^  where  ^ € t(f^)  and  | t ( f I K d. 

Step  2:  Perform  Steps  1 through  5 of  Algorithm  5.4,  treating  the 
modified  graph  as  the  diagnostic  graph  for  the  system. 

Step  3:  For  each  set  of  tests,  J^,  found  above,  determine  the  largest 

set  or  fault  nodes  F*  ■ (fi* *2* ' ’ * * ^p  ^ suc^  that  |t(fj)-J^|  < d 
for  all  j * l,2,...,p^.  (This  ensures  that  all  the  other 
faults  in  the  graph  have  d or  more  complete  tests.)  Set  to 
J±  U t(Fi) . 


L 


■ 


T* 


93 

Step  4:  If  F®  is  the  set  of  nodes  such  that  | F™ | - min  |F*|  then  the 

i 

roving  graph  for  the  system  is  obtained  by  deleting  all  edges 
corresponding  tests  in  Jm  from  the  diagnostic  graph.  All 
nodes  which  do  not  have  an  incoming  arc  as  a result  of  this 
operation  are  made  initial  nodes.  □ 

The  only  restrictive  point  about  the  above  algorithm  is  that  it 
requires  that  there  should  be  no  two  faults  f^,  fj  such  that 
| T ( f H t(fj) | > 1.  Actually,  in  practice,  one  may  very  well  be 
able  to  carry  out  the  algorithm  as  described  even  though  the  condition  is 
not  satisfied  and  then  ensure  that  the  resulting  roving  graph  does  not 
possess  any  non-initial  nodes  which  have  invalidating  sets  of  faults  with 
cardinality  smaller  than  t. 

This  section  is  concluded  with  an  example  to  illustrate  the 
points  mentioned. 

Example  5.5 

Consider  a system  S whose  diagnostic  graph  is  shown  in  Figure  5.9(a) 
The  set  of  cycles  obtained  after  performing  Step  3 and  the  N- matrix  of  the 
system  are  shown  in  Figure  5.9(b).  The  sets  of  minimal  tests  are:  (1,6,9), 


(1,6,10),  (1,6,11),  (1,7),  (1,9,12),  (1,10,12),  (1,11,12),  (7,8), 
(5,8,11,12),  (6,8,11). 


The  corresponding  sets  of  fault  nodes  (1^)  are  given  by:  (1), 

(1),  (1,6),  (1),  (1),  (1),  (1),  (7),  (5),  (6).  Thus  there  are  4 candidates 
for  a single  initial  node,  namely,  nodes  1,  5,  6 or  7.  Figure  5.9(c)  shows 
a roving  graph  obtained  by  eliminating  tests  t^  and  tg. 

Attempting  to  obtain  a 2-fault  roving  graph  for  the  system,  the  modi 
fied  diagnostic  graph  is  drawn  as  per  Step  1 of  Algorithm  5.5  in  Figure  5.9(d) 


FP-6259 


(a)  Diagnostic  Graph  for  System  S 


0 

0 

0 

0 

0 


Cycle  1 100000010  0 

Cycle  2 110011100  0 

Cycle  3 000000101  1 

Cycle  4 101000100  0 

Cycle  5 110100100  1 

Cycle  6 100111100  1 

Cycle  7 100100100  1 

Cycle  8 101011100  0 

Cycle  9 000011101  1 

Cycle  10  000001100  0 

_ 

(b)  N-Matrix  for  the  System 

Figure  5.9  "Best"  Roving  Graphs  for  the  General 
System  of  Example  5.5 


I J I 


0 

0 

0 

0 

0 

n 

) I 

u 

. 

a 

u 

0 

0 

a 

u 

b 

o 

0 

Q 

e 


8 


97 

The  new  sets  of  minimal  tests  are  (5,11,12),  (6,9),  (6,10),  (6,11),  (9,12), 
(10,12),  (7).  The  sets  of  nodes  (F*)  of  Step  3 in  Algorithm  5.5  are: 

(5,6),  (6,4),  (6,3),  (6),  (4,5),  (3,5),  (7).  The  2-fault  roving  graph 
having  the  least  number  of  initial  nodes  must  hence  have  3 initial  nodes, 

1,  2 and  7 or  1,  2 and  6.  The  latter  2-fault  3-roving  graph  is  shown  in 
Figure  5.9(f). 

It  may  be  easily  verified  that  there  does  not  exist  a non- 
degenerate 3-fault  roving  graph  for  the  system.  □ 

5.8  Diagnosis  of  Initial  Nodes 

The  initial  node  used  in  the  earlier  sections  was  actually  an 
aid  in  determining  a properly  ordered  test  sequence  for  the  system. 
Obviously,  the  initial  nodes  are  themselves  prone  to  faults  and  hence  may 
invalidate  some  tests  in  the  roving  graph  for  the  system. 

The  absence  of  any  tests  for  the  initial  faults  in  the  roving 
graph  does  not  mean  that  they  cannot  be  tested  for  in  the  system.  It 
may  be  recalled  that  the  roving  graph  is  a subgraph  of  the  diagnostic 
graph  for  the  system.  Hence  one  may  attempt  to  "come  round  a complete 
circle"  and  diagnose  the  initial  nodes  using  the  nodes  which  were 
diagnosed  under  the  assumption  that  the  initial  nodes  were  fault-free. 

The  first  requirement  implied  by  this  strategy  is  that  the 
initial  nodes  themselves  must  possess  invalidating  sets  with  cardinality 
at  least  d (vide  Theorem  5.2  in  Section  5.4).  This  would  suffice  if 
an  initial  node  under  a fault  never  causes  a test  which  should  fail  to 
pass.  (This  is  the  case  in  the  Barsi,  Grandoni  and  Maestrini's  model  [9] 
but  does  not  hold  true  for  the  general  model  being  considered  here.) 


l 


( 


MKi&tJZ  - '•?»*»  i«i  • <«£•  Z J 


98 

A second  solution  may  be  to  use  "hard-core"  units  to  check 
the  initial  nodes  only.  This  would  imply  that  in  order  to  reduce  the 
complexity  of  hard-core  requirements,  firstly,  the  number  of  initial  nodes 
would  have  to  be  reduced  and  secondly,  the  complexity  of  the  initial  nodes 
themselves  would  have  to  be  reduced  in  order  to  make  the  tests  simpler. 

In  any  case,  the  requirement  that  some  sort  of  global  fault-free  tester 
be  available  in  this  scheme  is  somewhat  disconcerting. 

A better  approach  would  utilize  self-checking  units  for  the 
initial  nodes.  The  hard-core  requirement  in  this  case  could  be  simplified 
to  a simple  monitor  which  looks  at  the  output  of  the  checker  and  sets  off 
an  alarm  when  something  goes  awry  with  the  initial  node.  However,  even 
in  this  scheme,  the  initial  nodes  would  have  to  undergo  tests  periodically, 
but  not  quite  as  frequently  as  before,  because  it  is  impossible  to 
guarantee  the  exercise  of  all  the  necessary  inputs  during  regular  opera- 
tion. Discussions  on  the  design  of  self  checking  circuits  may  be 
obtained  from  [27],  [28]  and  [29]. 

By  keeping  the  initial  nodes  fairly  simple,  the  self-checking 
designs  of  these  circuits  may  be  made  without  undue  difficulty.  Such 
an  approach  is  viable  and  very  useful,  especially  if  there  is  a degree  of 
flexibility  allowed  in  the  design  of  the  initial  nodes  of  a distributed 
network. 

Any  further  reduction  in  the  global  requirements  for  the  system 
will  tend  to  increase  the  demands  on  the  structure  of  the  network  itself. 
One  such  approach  which  is  being  termed  cooperative  initial  diagnosis  will 
now  be  described. 


J 


99 


jfyrzrr- 


Assume  that  at  the  start  of  the  testing  procedure,  a certain 
set  of  nodes  in  the  system  simultaneously  tests  an  initial  node.  At  the 
completion  of  all  the  tests,  these  nodes  cooperate  among  themselves  to 
find  out  how  many  of  the  nodes  found  the  initial  node  to  be  faulty  and 
how  many  fault-free.  Depending  on  the  result,  and  on  the  fault  assumption, 
it  can  be  determined  unambiguously  whether  the  initial  node  is  faulty  or 
not. 

As  an  example,  Figure  5.10  shows  a part  of  the  diagnostic  graph 
for  a 2-fault  system  where  f^  is  the  initial  node.  The  fault  nodes  f^,  f£« 
f^  and  f^  correspond  to  the  nodes  which  attempt  to  diagnose  ^ through 
tests  t^,  t^,  t^  and  t^  respectively.  If  two  or  more  of  these  nodes  find 
fault  ^ to  be  absent,  then  that  must  indeed  be  the  case,  or  else  there 
would  be  three  or  more  faults  in  the  system.  If  the  number  is  fewer  than 
two,  then,  for  a similar  reason,  f^  must  correspond  to  an  existing  fault. 

In  order  that  the  nodes  corresponding  to  f^,  ...,  f^  communicate 
among  themselves,  the  communications  graph  for  the  system  must  include 
arcs  between  these  nodes.  In  fact,  the  possibility  of  faults  among  these 
units  could  imply  a complete  graph  among  these  nodes  for  the  communications 
graph. 

For  a d-fault  system,  the  above  mechanism  may  be  directly 
extended  with  2d  nodes  testing  an  initial  node  and  a complete  graph  among 
these  nodes  in  the  communications  graph  for  the  system. 

There  is  just  one  piece  of  hard-core  implied  by  the  cooperative 
initial  diagnosis  approach.  There  must  be  a mechanism  by  which  all  the 
testing  units  are  instructed  to  begin  testing  the  initial  node.  A clock 
common  to  these  units  is  one  such  mechanism. 


u 


0 


0 


.. 


0 


0 


101 

In  practice,  the  intial  node  diagnosis  problem  is  not  as 
complex  as  it  has  been  made  out  to  be  in  this  section.  Once  a testing 
routine  has  been  completed  around  the  roving  graph,  if  there  are  no  faults 
found  then  there  is  a high  probability  that  the  nodes  testing  the  initial 
nodes  are  themselves  fault-free  when  they  are  ready  to  test  the  initial 
node.  Hence  one  may  complete  the  loop  by  proceeding  to  test  the  initial 
nodes  just  like  any  other  node.  Until  a fault  is  actually  detected,  this 
continuous  roving  around  the  system  is  guaranteed  to  give  reliable 
results.  (This  procedure  may  imply  a certain  minimal  length  for  the 
loops  involved.  For  example  if  a cycle  of  length  d is  involved  in  an 
SMPT  system,  there  is  a possibility,  though  rather  remote,  that  all  d 
units  are  actually  faulty,  but  are  declaring  one  another  to  be  fault-free.) 

The  next  chapter  will  consider  the  problem  of  reconfiguration 
and  reusability  in  the  system  and  discuss  some  practical  aspects  of  roving 
diagnosis. 


0 


-.T  f' 


! . ..  - 


102 


6.  FURTHER  IMPLICATIONS  OF  ROVING  DIAGNOSIS 


6.1  Introduction 

The  previous  chapter  described  the  necessary  conditions  to  be 
satisfied  by  a system  In  order  that  It  may  be  able  to  detect  faults  with 
minimal  external  help.  The  system  however  continues  to  be  useful  only 
If  It  Is  aware  of  the  existence  of  the  faults  and  can  resume  functioning 
from  a point  where  the  results  are  known  to  be  unadulterated.  The  latter 
problem,  called  the  recovery  problem,  usually  requires  the  system 
software  to  support  rollback  and  hence  effect  recovery.  The  former, 
which  will  be  considered  here,  implies  certain  interconnections  between 
the  nodes  in  a system  in  order  that  the  system  may  continue  operation, 
although  with  a possible  degradation  in  performance  or  throughput. 

6.2  Reconfigurability 

In  Chapter  4,  a system  was  defined  as  being  reconflgurable  if 
all  the  units  in  the  vicinity  of  a faulty  unit  can  be  reliably  informed 
about  the  fault.  At  least  one  of  the  units  which  has  test  edges  directed 
to  the  faulty  unit  must  know  about  the  fault  as  soon  as  it  is  detected. 
(All  of  them  need  not  know  because  some  units  may  simply  be  feeding  in 
the  test  stimuli,  the  response  to  which  may  be  observed  by  other  units.) 
If  all  the  other  units  adjacent  to  the  faulty  unit  are  reachable  from 
the  unit  detecting  the  fault  then  the  faulty  unit  may  be  effectively 
isolated  from  the  rest  of  the  system.  (Reachability  here  refers  to  the 
communications  graph.  The  choice  of  synonymity  between  a fault  and  a 
faulty  node  simplifies  matters  here.  Otherwise  one  would  have  to  refer 
to  the  "node  containing  the  detected  fault"  rather  than  the  "faulty 
node.") 


103 


As  mentioned  before,  the  communications  graph  for  the  system 
may  be  an  undirected  graph,  as  In  networks  with  full-duplex  links. 

However,  by  treating  it  as  a directed  graph,  results  which  are  more 
general  may  be  obtained. 

The  connectivity  of  a graph  is  the  minimum  number  of  nodes 
whose  removal  disconnects  the  graph.  When  a graph  is  disconnected,  there 
exists  at  least  one  node  which  does  not  have  a directed  path  to  some  other 
node  in  the  graph.  Hence  it  follows  that  a system  is  reconfigurable  to  at 
least  X faults  if  X Is  the  connectivity  of  the  system  communications  graph. 
There  could  be  a set  of  faults  F*,  |F*|  > X such  that  the  system  is 
reconfigurable  to  F*,  since  F*  may  not  form  a cutset  of  the  communications 
graph. 

It  is  also  possible  for  the  system  to  be  reconfigurable  to  a set 
of  faults  which  leaves  the  system  disconnected,  as  shown  in  the  example 
below. 

Example  6.1 

Consider  the  diagnostic  graph  shown  in  Figure  6.1.  Assume  that 
the  communications  graph  for  the  system  is  an  undirected  graph  with  edges 
between  the  same  pairs  of  nodes  having  edges  in  the  diagnostic  graph. 

The  communications  graph  is  not  1-connected  because  a faulty  node  7 leaves 
the  graph  disconnected. 

Since  node  7 has  two  complete  tests  t^  and  tg  it  is'- possible  to 
detect  a fault  in  the  node  through  node  4 or  node  5.  Thus  both  nodes  can 
independently  learn  of  the  fault  and  no  more  nodes  need  to  be  informed 
about  the  fault  in  order  to  effect  reconfiguration. 

Hence  it  is  seen  that  reconfigurability  does  not  necessarily 
imply  connectivity,  though  connectivity  is  a sufficient  condition  for 


105 

reconfigurability.  In  most  cases,  a test  for  connectivity  would  suffice 
In  order  to  determine  whether  the  system  Is  reconf igurable  or  not.  But 
In  some  cases  when  the  connectivity  Is  not  high  enough.  It  may  be 
necessary  to  look  at  the  roving  graph  for  the  system  and  the  nature  of 
Implementation  of  the  testing  routines  in  order  to  ensure  reconfigurability. 
Many  graph-theoretic  results  exist  which  relate  the  connectivity  of  graphs 
with  other  characteristics  of  the  graph  like  the  degrees  of  nodes.  Some 
of  these  may  be  obtained  from  Wilkov  [30]  or  Frank  and  Frisch  [31]. 

The  next  Important  aspect  which  needs  consideration  is  the  time 
required  to  effect  reconfiguration.  It  Is  Imperative  that  the  neighbors 


r 

• D 

i u 

j" 

«1  n 


of  the  fault  know  about  the  fault  promptly  in  order  to  avoid  erroneous 
results  during  operation. 

The  time  required  to  effect  reconfiguration  is  roughly  a function 
of  the  maximum  number  of  hops  (link  traversals)  that  have  to  be  made  in  order 
to  reach  all  the  units  neighboring  the  fault  from  the  units  which  know  about 
the  fault.  In  the  worst  case,  this  time  is  proportional  to  n-2,  where  n is 
the  number  of  nodes  in  the  system  graph.  This  will  be  the  case  when  the 
fault  message  has  to  travel  over  a Hamiltonian  path  of  the  system,  as  in  the 
case  of  a single-loop  system. 

If  A is  a directed  graph  with  n nodes,  then  A , the  graph  obtained 
by  k-rotation  of  A is  defined  as  that  in  which  node  f^,  0 £ 1 < n,  is  renamed 
as  node  f^,,  where  1'  - (i+k)  mod  n.  A graph  A which  possesses  a labelling 

t 

of  its  nodes,  fn,f, f . , such  that  A -A  for  0 < k < n,  will  be  called 

u x n—  J.  — 

a symmetric  graph.  (Two  graphs  A and  B are  said  to  be  equal,  A - B,  if  and 
only  if  they  are  identical  in  all  respects.) 

Lemma  6.1: 


If  there  is  a directed  arc  from  to  mod  n in  a symmetric 

graph  A,  then  there  must  be  a directed  arc  from  f,  to  f...  . for  all  j. 

J mod  n 


1 


f 

u 


(I 

- 

u 

f ■) 

J 


L 


0 

(I 

u 

0 

0 

!! 

0 


Proof: 


106 


Assume  that  soma  node  f^.y  n is  not  the  origin  of  an  arc 

]j£ 

to  n*  The  graph  A obtained  by  k-rotation  of  graph  A must 

hence  have  no  arc  directed  from  node  f . to  node  £ ,. , . , But  then 

i (i+r)  mod  n. 

1c 

A i A implying  that  A is  not  symmetric — a contradiction.  Q.E.O. 

Symmetric  graphs  are  interesting  because  in  certain  cases  they 
are  optimal  with  respect  to  the  time  required  for  reconfiguration.  Since 
the  number  of  hops  required  to  reach  some  node  is  a good  indication  of 
the  time  required  to  send  a message  to  that  node,  it  may  be  convenient  to 
define  H,  called  the  reconfiguration  delay,  as  the  maximum  number  of  hops 
required  to  reach  nodes  adjacent  to  a faulty  node  from  a node  detecting 
the  fault.  If  broadcasting  or  simultaneous  transmission  of  a fault 
message  is  possible  from  a node  then  H is  a parameter  proportional  to 
the  time  required  to  effect  reconfiguration. 

The  following  is  an  interesting  result  applicable  to  symmetric 
communications  graphs.  (Addition  will  be  assumed  to  be  modulo  n addition, 
where  n is  the  number  of  nodes  in  the  system  graph.) 

Theorem  6.1 

If  the  communications  graph  for  a 1-fault  testable  system  is 
symmetric  and  undirected  with  connectivity  _>  2,  then  the  reconfiguration 
delay  (H)  _<  4. 

Proof: 


Consider  the  node  f^  which  has  been  found  to  be  faulty  by  node 

f . , where  i ■ J +■  k.  Let  f.  be  connected  to  some  other  node  f.,  • f . 

J i i+p  q 

Since  the  graph  is  symmetric  there  must  be  an  arc  between  f . and  f . , . 

J J+P 

There  must  also  be  an  arc  between  f . . and  f because  if  f . detects  f . 

J+P  J+P+k  J i 


Co  be  faulty  Chen  there  must  be  an  arc  between  these  nodes  In  the 


communications  graph.  But  j+p  + k«i  + p implying  that  as  long  as 


f are  sufficient  for  propagation  of  fault 


If  p ■ k then  the  above  operation  cannot  be  performed  because 


f . is  itself  a faulty  node.  But  since  the  connectivity  of 


the  communications  graph  is  at  least  2,  every  node  must  have  degree  at 


least  3,  implying  that  it  is  possible  to  find  an  integer  q such  that  the 


communications  graph  possesses  arcs  f . - f 


Ifj+q-i+p  then  clearly  only  one  hop  is  required 


Otherwise  neither 


fj^  nor  can  be  Identical  to  node  f^  implying  that  they  cannot  be 

faulty  by  the  single  fault  assumption.  The  following  hops  hence  form  a 


valid  fault-free  path:  f . - f 


Applying  the  same  arguments  to  every  node  connected  to  f . , the 


theorem  is  proved 


Asstime  that  the  diagnostic  graph  and  the  communications  graph  for 


a system  are  as  shown  in  Figure  6.2.  (The  initial  node  is  tested  by  the 


cooperative  testing  technique  and  any  node  qualifies  to  be  an  Initial  node.) 


Let  1 be  the  initial  node  with  the  corresponding  roving  graph 


consisting  simply  of  the  chain  l-*-2-*-3-*-4-*-5-+-6.  Assume  that  node  4 
finds  node  3 to  be  faulty.  Reconfiguration  will  be  affected  when  node  4 


can  Inform  nodes  6,  1 and  3 about  the  fault  in  node  3.  The  shortest 


hops  in  this  case  are  4-6,  4-6-1  and  4-3  Implying  a reconfiguration  delay 


For  graphs  with  a small  number  of  nodes,  it  will  be  found  that 


the  reconfiguration  delay  _<  2.  Also  for  graphs  with  large  number  of  nodes 


r 


u 

0 

y 

y 


i] 

[j 

o 

n 

J 


y 


109 

and  high  connectivity,  the  average  number  of  hops  to  reach  the  neighbors 
of  a faulty  node  will  be  found  to  be  close  to  2. 

In  concluding  this  section,  it  may  be  mentioned  that  it  is 
conjectured  that  the  interesting  properties  of  symmetric  graphs  extend 
also  to  t-fault  testable  systems,  though  the  specific  bound  on  the 
reconfiguration  delay  may  be  a function  of  t. 

6.3  Reusability 

As  defined  in  Chapter  4 a system  is  said  to  be  reusable  after  a 
fault  if  the  system  is  reconflgurable  after  detection  of  the  fault  and 
the  communications  graph  of  the  reconfigured  system  has  the  minimum 
number  of  nodes  and  minimum  links  between  the  nodes  necessary  for  useful 
functioning  of  the  system.  The  definition  implies  that  there  is  a basic 
system  which  must  be  contained  by  the  system  under  operation  in  order 
that  the  system  may  be  used  effectively.  If  there  are  different  types 
of  nodes  in  the  system  then  it  may  be  necessary  to  have  at  least  a certain 
number  of  each  type  in  the  system.  Ordinarily,  it  may  be  sufficient  for 
the  specified  nodes  to  form  a connected  communications  graph.  If, 
instead,  the  basic  system  also  specifies  some  necessary  links  between 
the  nodes,  then  the  problem  of  determining  reusability  is  similar  to  the 
problem  of  Hayes  [10]  in  that  it  becomes  necessary  to  determine  whether 
the  reconfigured  system  contains  a subgraph  isomorphic  to  the  basic  graph 
for  the  system.  For  convenience,  the  latter  type  of  reusability  will  be 
termed  second  order  reusability  in  contrast  to  first  order  reusability 
where  only  the  connectivity  between  the  basic  system  nodes  is  important. 

The  following  result  may  be  proved  without  difficulty. 


IJ 

; i 


i 


no 


Theorem  6.2 

If  the  basic  system  configuration  requires  n.^  nodes  of  type  i 
then  a d-fault  testable  and  reconfigurable  system  is  first  order  reusable 
if  and  only  if  there  are  d + ni  nodes  of  type  i. 


Proof : 


If  there  are  fewer  than  d + n^  nodes  of  type  i then  the 


occurrence  of  d faults  among  the  nodes  of  type  i alone  results  in  fewer 
than  n^  nodes  of  type  i remaining  in  the  reconfigured  system  and  the 
system  is  not  reusable. 

Conversely,  if  there  are  at  least  d + n^  nodes  in  the  system, 
then  the  fact  that  the  system  is  d-fault  reconfigurable  implies  that  all 
the  nodes  in  the  system  must  remain  connected  even  after  d faults  have 
occurred.  The  resulting  system  after  reconfiguration  is  guaranteed  to 


have  at  least  n^  nodes  of  type  i implying  reusability. 


Q.E.D. 


What  the  above  result  indicates  is  that  the  three  graphs , viz . , 
the  system  diagnostic  graph,  the  system  communications  graph  without 
distinguishing  node  types,  and  the  system  communications  graph  with  node 
type  information,  have  their  own  significance.  Each  of  the  graphs  must  be 
individually  and  systematically  analyzed  in  order  to  draw  meaningful 
conclusions  about  the  behavior  of  the  system  under  faults. 

An  observation  about  reconfigurability  and  reusability  in  actual 
systems  is  in  order  here.  In  all  the  foregoing  discussion  the  tolerance 
to  faults  was  determined  by  the  worst  possible  case.  In  actual  systems 
it  may  quite  well  be  the  case  that  a set  of  k faults  which  occur  in  a 
d-fault  testable,  reconfigurable  and  reusable  system  may  actually  leave 
a system  which  is  better  than  (d-k)-fault  testable,  reconfigurable  and 


Ill 


reusable.  The  maximum  number  of  faults  that  the  system  can  tolerate  while 
remaining  usable  is  a very  optimistic  measure  and  is  not  a judicious  one 
in  designing  fault-tolerant  systems  except  from  the  probabilistic  point 
of  view.  The  probabilistic  treatment  could  take  account  of  the  fact  that 
systems  designed  to  be  d-fault  testable,  reconfigurable  and  reusable  are 
in  a sense  "over"-designed  and  can  tolerate,  with  a high  probability,  a 
greater  number  of  faults.  An  interesting  treatment  of  this  problem  and 
the  relation  between  the  reliability  and  the  performance  of  systems  with 
time  is  presented  in  a paper  by  Abraham  and  Metze  [23]. 

When  the  units  involved  in  the  operation  of  the  system  are 
non-homogeneous  in  nature,  second  order  reusability  must  be  considered. 

The  redundancy  in  terms  of  the  total  number  of  extra  units  required 
increases  in  this  case  and  the  probability  of  the  system  remaining  useful 
after  a specified  number  of  faults  will  tend  to  be  higher.  This  is 
because  the  total  number  of  redundant  units  in  the  system  is  considerably 
larger  when  there  are  many  types  of  units  than  when  the  system  is  homo- 
geneous. The  deterministic  aspects  of  this  problem  involve  results  from 
the  graph  theoretic  problem  of  subgraph  isomorphism  [32]  and  will  not  be 
discussed  here. 

6.4  Self-Testable  System  Design 

The  results  on  the  analysis  of  systems  for  testability,  recon- 
figurability and  reusability  can  be  usefully  employed  in  the  design  of 
nearly  self-testable  systems.  Traditionally,  the  design  of  systems  has 
been  approached  with  an  ultimate  aim  of  obtaining  "optimal"  designs.  The 
optimality  criteria  may  include  cost  of  the  designed  system,  performance 
of  the  designed  system,  cost  per  performance,  etc.  The  search  for 


_ 


m .....  . . ~ vii  ■ 


112 


mug 


U 

w 


0 


optimality  is  itself  costly,  however,  and  often  an  easily  derived  near- 
optimal  design  may  be  preferred  to  the  effort  required  to  derive  an 
optimal  design.  This  section  will  present  some  designs  which  are  simple, 
easy  to  implement,  and  easily  extensible. 

Assume  that  it  is  required  to  design  a 1-fault  testable  system 
consisting  of  just  one  type  of  node  with  the  basic  system  requiring  k 
nodes.  Assuming  that  any  node  may  be  tested  by  any  other  node,  the 
system  whose  graphs  are  shown  in  Figure  6.3  is  a simple  and  almost  optimal 
design. 

Using  the  cooperative  testing  technique,  the  initial  node  3 may 
be  tested.  Thereafter,  node  i tests  node  i + 1.  The  system  is  1-fault 
reconfigurable  because  every  node  is  contained  in  a Hamiltonian  circuit 
of  the  system  communications  graph.  By  Theorem  6.2  since  there  are  k + 1 
nodes  in  the  system  and  the  system  is  1-fault  testable  and  reconfigurable, 
it  must  be  reusable. 

The  particular  system  is  near  optimal  if  the  criterion  for 
optimality  is  the  total  number  of  nodes  and  links  in  the  system.  It  may  be 
easily  shown  that  no  less  than  k + 1 nodes  and  k + 1 links  can  meet  the 

system  requirements.  The  specified  system  has  k + 1 nodes  and  k + 2 

links. 

Considering  the  time  taken  for  reconfiguration  in  the  above 
system,  it  is  seen  that  in  the  worst  case,  the  information  must  travel 

over  k - 1 nodes.  This  happens  when  some  node  i,  3 <_  i <_  k + 1,  finds  a 

fault  in  the  node  that  it  tests.  A design  which  is  better  from  the  point 
of  view  of  reconfiguration  delay  is  shown  in  Figure  6.4. 


The  communications  graph  is  symmetric  and  further  the  connectivity 
of  the  graph  is  3.  Hence  by  Theorem  6.1,  the  reconfiguration  delay  for 
the  system  is  not  greater  than  4.  The  following  result  however  indicates 
that  the  reconfiguration  delay  for  the  system  is  £ 2. 

Theorem  6.3 

In  the  system  of  Fig.  6.4,  if  the  chosen  roving  graph  is  the 
directed  Hamiltonian  chain  1 •+■  2 ->■  ...  -*•  k + 1 with  node  1 as  the  initial 
node,  then  the  reconfiguration  delay  of  the  system  is  £ 2. 

Proof: 

(All  arithmetic  is  assumed  modulo  n.)  If  node  i finds  node  i + 1 
faulty  then  node  i needs  to  inform  node  i - 1,  node  i + 2 and  node  i + 3. 
Node  i is  connected  to  the  first  two  of  these  nodes,  while  node  i + 3 may 
be  reached  through  node  i + 2 in  2 hops.  Hence  the  theorem.  Q.E.D. 

When  designing  for  d-fault  systems,  the  same  technique  may  be 
directly  extended.  Thus  Figure  6.5  shows  a homogeneous  3-fault  testable 
system  which  is  reconfigurable  and  reusable  for  a basic  system  of  7 nodes. 
The  initial  node,  node  7,  is  tested  by  the  cooperative  testing  technique 
using  nodes  1 through  6. 

The  roving  graph  for  the  system  is  simply  the  graph  of  Figure  6.5 
without  the  directed  arcs  to  node  7.  The  nodes  8,  9 and  10  are  the  typical 
nodes  for  the  system.  If  the  basic  system  is  required  to  have  k nodes, 
k > 7,  then  it  is  sufficient  to  have  the  first  seven  nodes  as  shown,  and 
the  remaining  k - 7 nodes  connected  as  for  nodes  8,  9 and  10.  Thus 
expanding  the  system  is  straightforward. 

The  limitation  that  one  encounters  in  extending  this  approach 
to  d-fault  testable  systems  is  the  number  of  ports  that  must  exist  in  the 


117 


; 


M 


J 


a 

a 

a 

u 

u 

0 

si 

1 

i 


u 


system  nodes.  This,  in  fact,  is  an  inherent  limitation  of  the  roving 
diagnosis  approach  just  as  it  was  in  the  case  of  one-step  diagnosability 
or  sequential  diagnosability  without  repair,  and  is  the  penalty  that  is 
paid  for  the  attempt  to  eliminate  global  supervision. 

This  section  is  concluded  with  a design  of  a system  in  which  the 
individual  nodes  cannot  be  tested  by  one  unit  alone.  Assume  that  the 
system  is  to  be  1-fault  detectable,  reconfigurable  and  reusable  with  each 
unit  requiring  3 other  units  to  perform  a complete  test  on  it.  (This  may 
be  the  case  when  the  individual  units  are  too  complex  to  be  tested  by 
just  one  other  unit  of  its  type  or  when  resource  limitations  prevent  a 
complete  test  by  one  unit.) 

The  roving  graph  for  the  system,  assuming  a basic  system 
requiring  9 homogeneous  nodes,  is  shown  in  Figure  6.6.  Except  for  the  fact 
that  there  are  3 initial  nodes  instead  of  one,  the  graph  is  similar  to 
the  roving  graph  for  the  3-fault  testable  system,  when  labels  on  the  test 
edges  are  removed. 

The  most  convenient  way  to  perform  the  diagnosis  of  initial 
nodes  would  be  to  employ  6 nodes  to  diagnose  unit  1,  5 to  diagnose  unit  2 
and  4 to  diagnose  unit  3 as  shown  in  Figure  6.7.  While  this  does  make 
initial  node  diagnosis  more  expensive  than  in  the  case  of  single  mask 
per  test  systems,  it  is  better  than  using  six  nodes  to  diagnose  each  of 
the  nodes  1,  2 and  3.  The  communications  graph  must  contain  links 
between  the  nodes  4 through  9,  as  before. 

A proof  that  the  graphs  of  Figures  6.6  and  6.7  achieve  their 
intended  purpose  is  straightforward  and  is  not  presented  here. 


* 


J 


0 

0 

u 

0 
0 
0 

1 
i 
0 


6.5  Miscellaneous  Practical  Aspects 

One  of  the  problems  that  is  likely  to  be  encountered  in  practical 
implementations  of  the  roving  diagnosis  scheme  is  the  actual  communication 
between  the  various  nodes  during  testing.  For  example,  during  testing  of 
one  node  by  another,  the  faulty  node  being  tested  may  simply  "hang"  and 
not  send  any  response  to  test  stimuli.  The  testing  node,  of  course,  must 
be  able  to  recognize  such  a condition  from  a normal  delay  over  communica- 
tion links.  It  is  under  these  circumstances  that  the  value  of  a testing 
link  directly  connecting  the  testing  node  and  the  tested  node  is  realized. 
The  testing  node  can  now  simply  wait  for  a prespecified  length  of  time 
before  declaring  the  node  being  tested  as  faulty  or  slower  than  acceptable. 

A related  problem  is  one  of  minimization  of  the  number  of  hops 
over  which  messages  must  travel  during  the  testing  itself.  Consider  the 
two  roving  graphs  for  a homogeneous  system  shown  in  Figure  6.8.  The 
advantage  in  having  a regular  balanced  tree  over  a chain  (which  is  also 
a tree,  but  a degenerate  one)  is  that  testing  can  proceed  in  parallel 
thus  minimizing  the  total  time  involved  in  testing.  In  the  case  of  the 
chain,  however,  there  is  no  choice  as  to  the  sequence  in  which  the  testing 
must  proceed.  Clearly,  a node  that  has  just  been  found  to  be  fault-free 
will  proceed  to  act  as  the  next  tester  and  thus  a true  roving  is  achieved. 
For  the  tree,  one  possible  sequence  starts  with  1 testing  2,  2 testing  4, 

4 testing  8 and  a jump  back  to  1 to  test  3.  In  order  for  this  to  happen, 
a message  must  be  sent  back  from  node  8 to  node  1 which  involves  3 hops. 
Thus,  while  such  a sequence  does  not  tie  up  any  node  for  too  long  in 
diagnosis,  it  is  not  very  efficient  from  the  point  of  view  of  total 
number  of  message  hops. 


1 

« 


I 


FP-627X 


(a)  A Tree 


(b)  A Chain 


0 


Figure  6.8  Two  Possible  Roving  Graphs  for  a 10-Node 
Homogeneous  System 


A better  sequence  which  can  exploit  the  parallelism  in  the 
system  also  would  start  with  1 testing  2 and  followed  by  1 testing  3 in 
conjunction  with  2 testing  4,  and  so  on.  This  assumes  that  more  than 
one  area  can  be  performing  diagnosis  at  the  same  time.  If  because  of 
some  performance  constraints  only  one  area  should  be  diagnosing  at  any 
given  time  then  it  can  be  easily  seen  that  the  chain  would  be  the  best 
roving  graph  in  terms  of  minimizing  the  number  of  messages  sent.  In 
SMPT  diagnostic  graphs,  this  implies  the  necessity  for  the  existence  of 
a Hamiltonian  path.  (The  roving  graph  for  the  3 fault  testable  system  cf 
Figure  6.5  satisfies  this  condition.  It  further  enjoys  the  advantage  of 
possessing  a Hamiltonian  path  even  if  the  system  reconfigures  around  1 or 
2 faults.) 

The  final  problem  to  be  discussed  involves  the  propagation  of 
the  network  topology  information  to  all  the  nodes  in  the  system.  The 
primary  question  here  is  whether  all  the  nodes  in  the  system  are  required 
to  know  the  complete  topology  of  the  system  in  order  to  function  effectively 
or  whether  the  knowledge  of  who  its  active  neighbors  are  is  sufficient  for 
a node. 

This  question  assumes  importance  during  reconfiguration  because, 
except  in  very  few  topologies  like  the  complete  graph,  the  greater  the 
number  of  nodes  which  need  to  be  informed  about  a fault,  the  greater  will 
be  the  time  required  to  effect  reconfiguration. 

Some  guidelines  for  design  have  already  been  presented  in 
Section  6.2  for  the  case  when  only  the  neighbors  of  a faulty  node  need  to 
be  informed  about  the  fault. 


L23 


u 

u 

Q 


0 

0 
: I 

10 


Is  defined  as  the  minimum  number  of  edges  contained  in  a chain  (a  directed 
chain  if  the  graph  is  a directed  graph)  joining  f^  and  f^.  The  maximum 
distance  between  all  pairs  of  vertices  in  a connected  graph  is  called  the 
diameter  of  the  graph.  Thus  in  order  to  reduce  reconfiguration  delay, 
when  all  the  nodes  need  to  be  informed  about  a fault  in  some  node,  the 
diameter  of  the  communications  graph  must  be  reduced.  If  all  the  nodes  in 
the  system  know  the  system  topology  completely  at  the  beginning,  then  on 
the  occurrence  of  a fault,  the  simple  propagation  of  the  fault  informa- 
tion down  the  shortest  paths  will  ensure  a complete  update  of  the  topology 
at  each  node. 

If,  on  the  other  hand,  each  node  in  the  system  needs  to  know 
only  the  distances  between  Itself  and  the  other  nodes,  a simple  ARPANET-like 
strategy  [33]  may  be  used.  Here  each  node  gathers  Information  from  each 
of  its  neighbors  to  determine  the  distances  between  them  and  all  the 
other  nodes.  By  comparing  the  Information  from  the  neighbors,  the  node 
can  decide  the  shortest  distance  between  itself  and  the  rest  of  the  nodes 
in  the  system.  It  can  also  decide  which  specific  neighbor  is  on  the 
shortest  path  between  it  and  some  other  node. 

One  of  the  major  advantages  of  the  roving  diagnosis  scheme  and 
the  associated  models  as  presented  here  is  the  fact  that  they  can  be 
applied  to  either  loosely  coupled  distributed  computer  communication 
networks  or  to  tightly  coupled  computer  systems.  The  details  of  the 
demarcation  into  convenient  functional  blocks  may  vary  in  the  two  cases, 
but  once  the  relevant  graphs  have  been  drawn,  the  possibility  of  roving 
diagnosis  may  be  investigated  through  the  methods  described.  Further, 


the  theory  developed  can  also  be  used  to  determine  suitable  modifications 
to  an  existing  system  so  that  the  diagnosis  of  the  system  may  be  performed 
with  virtual  elimination  of  a global  supervisor.  (It  may  be  recalled 
that  the  only  hard-core  required  for  the  presented  approach  is  a 
mechanism  by  which  the  testing  units  for  the  initial  node  are  instructed 
to  begin  testing  the  initial  node.) 


125 


t 


{ 

f 


[I 


u 

u 


7 . CONCLUDING  REMARKS 

This  chapter  concludes  the  thesis  by  summarizing  the  salient 
results  that  have  been  obtained  and  discussing  directions  in  which  further 
work  may  be  done. 


Q 

0 

0 

0 

0 

0 

1] 

E 

1 


7.1  Detection  of  a Fault-Free  Unit 

As  shown  in  Chapter  2,  the  problems  of  finding  at  least  one  good 
unit  in  the  system  is  identical  to  d/s  diagnosability  of  Friedman  [16]  for 
the  special  case  of  s * n - 1,  n being  the  total  number  of  units  in  the 
system.  The  necessary  and  sufficient  conditions  for  d/ (n-1)  diagnosability 
were  derived.  In  the  case  when  no  more  than  one  unit  is  required  to  test 
another,  it  was  shown  that  default  diagnosability  with  repair  is  a 
sufficient  condition  for  finding  at  least  one  good  unit  in  the  system  if 
the  system  diagnostic  graph  is  connected,  while  it  is  also  a necessary 
condition  if  the  graph  is  strongly  connected.  In  most  other  cases 
however  d/(n-l)  diagnosability  seems  to  be  more  easily  satisfiable  in 
systems  than  d-fault  diagnosability  with  repair  (and  hence  also  easier  to 
satisfy  than  d-fault  diagnosability  without  repair) . A graph-theoretic 
parameter  called  the  system  implication  index  was  defined.  It  was  shown 
that  for  a system  in  which  every  unit  has  exactly  one  test  (possibly 
involving  many  diagnosing  units),  d/(n-l)  diagnosability  may  be  ensured 
by  making  the  implication  index  large  enough. 

7.2  Decomposition  of  Systems 

Chapter  3 related  the  closure  index,  and  hence  the  diagnosability, 


A 


of  a system  with  the  closure  indices  and  the  diagnosabillties  of  the 
composing  subsystems  for  the  system.  While  convenient  upper  and  lower 


bounds  on  the  diagnosability  of  the  system  may  be  obtained,  an  exact  value 
of  the  diagnosability  often  requires  more  detailed  knowledge  about  the 
subsystems  themselves.  The  knowledge  of  the  characteristics  of  the 
interconnections,  for  example  its  directionality  or  whether  it  is 
constructive  or  not,  is  further  useful  information  in  obtaining  better 
bounds  on  the  system  diagnosability. 

The  open-circuit  diagnosability  defined  in  the  chapter  is  a 
useful  tool  in  system  analysis.  It  is  felt  that  there  should  exist  at 
least  one  other  measure,  which,  along  with  open-circuit  diagnosability, 
will  characterize  a subsystem  completely  with  respect  to  its  points  of 
connection  to  the  outside  world.  Further  work  needs  to  be  done  in  this 
direction. 

7.3  Roving  Diagnosis 

Roving  diagnosis,  described  in  Chapter  4,  is  shown  to  be  a 
practical,  feasible  means  of  diagnosing  large  systems,  with  almost  no 
aid  of  an  external  supervisor.  The  key  requirements  for  a system  to  be 
able  to  perform  roving  diagnosis  are  the  existence  of  a suitable  roving 
subgraph  in  the  system  diagnostic  graph  and  a mechanism  to  test  certain 
distinguished  nodes  called  the  initial  nodes.  Chapter  5 discussed  the 
time  required  to  "rove"  through  the  system  and  provided  algorithms  for 
determining  appropriate  roving  graphs  given  the  fault  model  and  the 
system  diagnostic  graph. 

Reconfiguration  of  the  system  under  a fault  and  reusability  of 
the  system  after  reconfiguration  were  issues  discussed  in  Chapter  6.  The 
problem  of  reconfigurability  has  been  related  to  the  well  studied  graph- 
theoretic  problem  of  connectivity.  It  was  also  shown  that  certain 


L2 


properties  of  the  system  communications  graph  lead  to  desirable  systems 
where  the  delay  in  reconfiguring  after  a fault  is  small.  Reusability  of 
systems,  especially  when  different  types  of  nodes  are  involved,  is  a more 
difficult  issue.  At  present,  results  are  sparse.  More  work  may  be  done 
in  this  area.  A relationship  may  exist  between  the  reusability  problem 
and  the  fault  recovery  problem  studied  by  Hayes  and  Yanney  [10,21]. 

As  evident  from  the  sample  designs  of  Chapter  6,  the  complexity 
of  interconnections  increases  rapidly  as  the  system  is  required  to 
tolerate  more  faults.  It  must  be  noted,  nevertheless,  that  this 
complexity,  while  worse  in  comparison  to  sequential  diagnosability , is 
comparable  to  the  complexity  for  one-step  diagnosability,  and  probably 
lower  in  comparison  to  intermittent  fault  diagnosability.  Intuitively, 
one  may  attribute  this  as  the  cost  for  being  able  to  locate  all  the  faults 
in  the  system  up  to  a given  maximum  without  ambiguity  and  without 
analyzing  the  entire  system  fault  syndrome.  Added  to  that  are  the  benefits 
due  to  virtual  elimination  of  global  hard-core  and  due  to  the  parallelism 
of  diagnosis  with  other  computation. 

More  fruitful  work  remains  to  be  done,  especially  in  the  area  of 
probabilistic  analysis  of  roving  diagnosis.  A start  in  this  direction  was 
made  by  Abraham  and  Metze  [23],  where  an  example  is  provided  demonstrating 
that  roving  diagnosis  leads  to  systems  which  are  far  superior  in  per- 
formance while  being  almost  as  reliable  compared  to  systems  using  classical 
redundancy.  Further  examples  need  to  be  worked  out  especially  for  cases 
involving  non-homogeneous  nodes  and  reusability  of  the  second  order.  A 
probabilistic  analysis  of  the  various  schemes  for  testing  initial  nodes 
would  also  be  quite  useful. 


■r  ~ II  i 


' ■ . 


reflects  the  fact  that  any  test  for  a fault  in  a unit  is  invalidated  also 
by  a fault  in  the  unit  monitoring  the  checker  output  of  the  former  unit.) 

The  recent  flurry  of  activity  in  the  areas  of  self-checking  and 
LSI  testing  is  hence  very  encouraging. 


I 


129 


REFERENCES 


[1]  F.  P.  Preparata,  G.  Metze,  and  R.  T.  Chien,  "On  the  connection 
assignment  problem  of  diagnosable  systems,"  IEEE  Trans.  Electron. 
Comput . , vol.  EC-16,  pp.  848-854,  Dec.  1967. 

[2]  F.  P.  Preparata,  "Some  results  on  sequentially  diagnosable  systems," 
in  Proc.  Hawaii  Int.  Conf.  Syst.  Sci.,  University  of  Hawaii  Press, 
Honolulu,  Hawaii,  Jan.  1968,  pp.  623-626. 

[3]  S.  L.  Hakimi  and  A.  T.  Amin,  "Characterization  of  connection 
assignment  of  diagnosable  systems,"  IEEE  Trans.  Comput.,  vol.  C-23, 
pp.  86-88,  Jan.  1974. 

[4]  J.  D.  Russell  and  C.  R.  Kime,  "System  fault  diagnosis:  closure  and 
diagnosability  with  repair,"  IEEE  Trans . Comput . , vol.  C-24, 

pp.  1079-1088,  Nov.  1975. 

[5]  J.  D.  Russell  and  C.  R.  Kime,  "System  fault  diagnosis:  masking, 
exposure,  and  diagnosability  without  repair,"  IEEE  Trans.  Comput., 
vol.  C-24,  pp.  1155-1161,  Dec.  1975. 

[6]  S.  N.  Maheshwari  and  S.  L.  Hakimi,  "On  models  for  diagnosable 
systems  and  probabilistic  fault  diagnosis,"  IEEE  Trans . Comput . , 
vol.  C-25,  pp.  228-236,  Mar.  1976. 

[7]  H.  Fujiwara  and  K.  Kinoshita,  "Connection  assignments  for 
probabilistically  diagnosable  systems,"  IEEE  Trans.  Comput., 
vol.  C-27,  pp.  280-283,  Mar.  1978. 

[8]  S.  Mallela  and  G.  M.  Masson,  "Diagnosable  systems  for  intermittent 
faults,"  IEEE  Trans.  Comput.,  vol.  C-27,  pp.  560-566,  June  1978. 

[9]  F.  Barsi,  F.  Grandoni  and  P.  Maestrini,  "A  theory  of  diagnosability 
of  digital  systems,"  IEEE  Trans.  Comput.,  vol.  C-25,  pp.  585-593, 

June  1976. 

[10]  J.  P.  Hayes,  "A  graph  model  for  fault-tolerant  computing  systems," 
IEEE  Trans.  Comput.,  vol.  C-25,  pp.  875-884,  Sept.  1976. 

[11]  C.  V.  Ramamoorthy,  "A  structural  theory  of  machine  diagnosis,"  in 
Proc.  1967  Spring  Joint  Comput.  Conf.,  AFIPS  Conf.  Proc.,  vol.  30, 
Washington,  D.C.:  Thompson,  1967,  pp.  743-756. 

[12]  C.  V.  Ramamoorthy  and  L.-C.  Chang,  "System  segmentation  for  parallel 
diagnosis  of  computers,"  IEEE  Trans.  Comput.,  vol.  C-20,  pp.  261-270, 
Mar.  1971. 


u 

0 

0 

0 

1 
f,  ■ 

k*. 

i 


130 


[13]  C.  V.  Ramamoorthy  and  W.  Mayeda,  "Computer  diagnosis  using  the 
blocking  gate  approach,"  IEEE  Trans . Comput . , vol.  C-20,  pp.  1294- 
1299,  Nov.  1971. 

[14]  R.  P.  Batni  and  C.  R.  Kime,  "A  module-level  testing  approach  for 
combinational  networks,"  IEEE  Trans.  Comput.,  vol.  C-25,  pp.  594-604, 
June  1976. 

[15]  R.  A.  Poisel  and  C.  R.  Kime,  "A  system  interconnection  model  for 
diagnosability  analysis,"  in  Proc.  1977  Int.  Symp.  Fault-Tolerant 
Computing,  IEEE  Computer  Society  Publications,  pp.  59-63,  1977. 

[16]  A.  D.  Friedman,  "A  new  measure  of  digital  system  diagnosis,"  in 
Dig.  1975  Int.  Symp.  Fault-Tolerant  Computing,  IEEE  Computer  Society 
Publications,  pp.  167-170,  1975. 

[17]  J.  P.  Roth,  "Algebraic  topological  methods  for  the  synthesis  of 
switching  systems,  I,"  Trans.  Amer.  Math.  Soc.,  vol.  88,  pp.  301-326, 
July  1958. 

[18]  S.  Karunanithi  and  A.  D.  Friedman,  "System  diagnosis  with  t/s 
diagnosability,"  in  Proc.  1977  Int.  Symp.  Fault-Tolerant  Computing, 
IEEE  Computer  Society  Publications,  pp.  65-71,  1977. 

[19]  J.  E.  Smith,  "Universal  system  diagnosis  algorithms,"  unpublished 
document,  1977. 

[20]  J.  A.  McPherson  and  C.  R.  Kime,  "A  two- level  approach  to  modeling 
system  diagnosability,"  Proc.  1976  Int.  Symp.  Fault-Tolerant 
Computing,  IEEE  Computer  Society  Publications,  pp.  33-38,  1976. 

[21]  J.  P.  Hayes  and  R.  Yanney,  "Fault  recovery  in  multiprocessor 
networks,"  Digest  of  Papers,  1978  Fault-Tolerant  Computing,  IEEE 
Computer  Society  Publications,  pp.  123-128,  1978. 

[22]  J.  M.  McQuillan,  "Design  considerations  for  routing  algorithms  in 
computing  networks,”  in  Proc.  Hawaii  Int.  Conf.  Syst.  Sci., 

University  of  Hawaii  Press,  Honolulu,  Hawaii,  Jan.  1974. 

[23]  J.  A.  Abraham  andG.Metze,  "Roving  diagnosis  for  high  performance 
digital  systems,"  in  Proc.  Conf.  on  Info.  Sci.  and  Syst.,  The  Johns 
Hopkins  University,  Baltimore,  Maryland,  March  1978,  pp.  221-226. 

[24]  R.  G.  Busacker  and  T.  L.  Saaty,  Finite  Graphs  and  Networks:  An 
introduction  with  applications.  New  York:  McGraw  Hill,  1965. 

[25]  G.  H.  Danielson,  "On  finding  the  simple  paths  and  circuits  in  a 
graph,"  IEEE  Trans.  Circuit  Theory,  vol.  CT-15,  pp.  294-295, 

September  1968. 


3S 


131 


[26]  S.  R.  Petrick,  "On  the  minimization  of  Boolean  functions,"  Proc. 
Symp.  on  Switching  Theory,  ICIP,  Paris,  June  1959. 

[27]  W.  C.  Carter  and  P.  R.  Schneider,  "Design  of  dynamically  checked 
computers,"  IFIP  68,  vol.  2,  Edinburgh,  Scotland,  August  1968, 
pp.  878-883. 

[28]  D.  A.  Anderson,  "Design  of  self-checking  digital  networks  using 
coding  techniques,"  Coordinated  Science  Laboratory  Report  R-527, 
University  of  Illinois,  Sept.  1971. 

[29]  J.  E.  Smith  and  G.  Metze,  "The  design  of  totally  self-checking 
combinational  circuits,"  Proc.  1977  Int.  Symp.  Fault-Tolerant 
Computing,  IEEE  Computer  Society  Publications,  pp.  130-134,  1977. 

[30]  R.  S.  Wilkov,  "Analysis  and  design  of  reliable  computer  networks," 
IEEE  Trans.  Communications,  vol.  COM- 20,  pp.  660-678,  June  1972. 

[31]  H.  Frank  and  I.  T.  Frisch,  Communication,  Transmission,  and 
Transportation  Networks,  Reading,  Mass.,  Addison-Wesley , 1971. 

[32]  A.  T.  Berztiss,  "A  backtrack  procedure  for  isomorphism  of  directed 
graphs,"  JACM,  vol.  20,  pp.  365-377,  1973. 

[33]  G.  L.  Fultz  and  L.  Kleinrock,  "Adaptive  routing  techniques  for 
store-and-forward  computer-communication  networks,"  Proc.  1971 
IEEE  Int.  Conf.  Communications,  vol.  7,  pp.  3901-3908. 


132 


VITA 


Ravindra  Kumar  Nair  was  born  In  Madras,  India  on  May  7,  1953. 

He  received  a B.  Tech  degree  in  Electronics  and  Electrical  Communication 
Engineering  from  the  Indian  Institute  of  Technology,  Kharagpur  in  1974 
and  an  M.S.  degree  in  Computer  Science  from  the  University  of  Illinois  at 
Urbana-Champaign  in  1976.  He  was  a teaching  and  research  assistant  with 
the  Department  of  Computer  Science  from  1974  to  1976  and  a research 
assistant  with  the  Fault-tolerant  Systems  and  Computer  Architecture  group 
at  the  Coordinated  Science  Laboratory  from  1976  to  1978. 


